• Doge (unregistered)

    Many Security Very 2FA Such cyber

  • (nodebb)

    This is last century. The real solution would be, the token is integrated into the laptop and automatically enters the password when prompted.

  • Allie C (unregistered)

    This is what will eventually make 3FA a necessity

  • (nodebb)

    in that it's a bit of an inconvenience to carry your laptop AND an RSA token on your key ring

    Yeah, because ... um ... well, no. The RSA token is meant to be easy to carry on a key ring, to the extent that they are sometimes called "RSA key fobs"...

    But then, my company added (during the Covid lockdown times) a requirement for 2FA to access the company email server via its web interface. This wasn't actually to improve the "who can access it" security of the service, but to stop us from accessing it on non-company devices (like e.g. our home PC so we could keep tabs on what was going on during our vacation time)(1).

    How do I know this? Well, the official instructions included downloading a TOTP browser plugin on the work laptop (Covid times => work-from-home => work laptop for everyone) and setting up the 2FA in that plugin. It means that the 2FA's second factor is right there on the PC next to the login page, with a name (suggested by the instructions) that makes it clear it's for the webmail...

    (1) So instead I take the work laptop home every evening, and I can access my email from there...

  • Sole Purpose Of Visit (unregistered)

    As someone who carried around an RSA key in the 1990s, this actually isn't as stupid as it sounds. Two step authentication back then was purposed to avoid precisely the sort of problem that the OP describes -- writing the password down on a post-it attached to the desktop machine. (Trust me, I saw this happen all the time.) In principle, the same problem would occur if your (unencrypted, because stupidity) password was available over an internet hack.

    In that case, the second (physical) step was actually a giant step forward. One might argue (and I did, at the time) that it obviates the need for the first step, which is obviously broken beyond repair, but in 99% of cases, it did in fact offer decent security. Obviously, if you get car-jacked in possession of a laptop with a sticky note attached and an RSA key, then it's kind of weak ... just about as weak as having the RSA key attached to your belt, in fact.

    It was in fact so successful at <large financial corporation redacted)> that we only had security issues with:

    1. Unlocked laptops in the server room containing every credit card number known to man
    2. Cleaners being able to take laptops off desks and throw them into the plastic trash wheelie, from where they were extricated once outside "security."
    3. Outward facing unencrypted FTP ports
    4. Probably a few others I can't recall right now
    5. US Treasury officials dropping down from a squadron of black helicopters and grilling ordinary employees like me. I mean, I didn't ask them whether they were authentically US Treasury. Any reasonably fit bloke can rappel down from a helicopter whilst dressed as a Mutant Ninja Turtle without the turtle bit.

    Looking back at those years, I think (5) is probably far more worrying than the OP.

  • WTFGuy (unregistered)

    For those of us who don't carry purses, or do carry only small purses, one fob-like device is far too many to comfortably carry in a pocket. And for those of us who drive, our car fob already grossly over-fills our pockets. A 2FA key is way too large to expect anyone to carry in a pocket as a personal accessory.

    I'd be happy if they re-minaturised car "keys" to be as small, light, and thin as they were in 1965. Despite the claims that car makers are building their cars solely for male tastes, ISTM the design of these monster fobs containing but a microchip is all about making them large enough to readily rummage for in a gigantic purse, not making them small enough to fit sleekly in a pants pocket.

  • Christian (unregistered)

    in that it's a bit of an inconvenience to carry your laptop AND an RSA token on your key ring

    I also think that it is inconvenient to carry your laptop on your key ring.

  • fa (unregistered) in reply to Sole Purpose Of Visit

    Agreed - much better than only passwords. In this form, the key token solves a similar problem to client certificates - to authenticate the computer. Slightly more secure than a client cert, because a piece of malware can't authenticate in the background.

  • Sole Purpose Of Visit (unregistered) in reply to WTFGuy

    Good idea for a patent.

    If car key fobs are designed "for male tastes," then logically they should act as such. Insert key into ignition, and the fob automatically inflates to around 9" in length ....

    Perhaps I'm overthinking this.

  • (nodebb) in reply to Mr. TA
    This is last century. The real solution would be, the token is integrated into the laptop and automatically enters the password when prompted.
    Which makes it a version 0FA.
  • markm (unregistered) in reply to Christian
    Comment held for moderation.
  • Yikes (unregistered)

    Anyone familiar with the procedure / algorithm used to deal with the drifting clock of the RSA token? Maybe they just allow a brief look-ahead and resynchronize on the minute boundary.

  • Sole Purpose Of Visit (unregistered) in reply to Yikes

    From what I remember, they just resynchronise and ask you to try again.

    Those things were quite easy=going on retries back in the 1990s. You had to fail hard to get locked out.

  • richarson (unregistered) in reply to Sole Purpose Of Visit

    5 reminded me of this XKCD:

    https://xkcd.com/538/

  • Sole Purpose Of Visit (unregistered) in reply to richarson
    Comment held for moderation.
  • Sole Purpose Of Visit (unregistered) in reply to Allie C

    Well, actually, if you think about it, any amount of multiple authorisations is inside out.

    If everything was Bit-Lockered (or equivalent), then you really wouldn't need this. Want to access anything in the file system? Use the bit-locker password.

  • (nodebb) in reply to Sole Purpose Of Visit

    Except that 2FA can be (and is) used for access to remote stuff where end-users knowing the server's whole-disk encryption password is definitely not a good idea...

  • (nodebb)

    That is actually perfectly secure against by far the most common threat, a remote hacker. In fact the only attack it's really vulnerable to is someone who has physically stolen your laptop (and fob) while it was unlocked, which is (a) pretty unlikely and (b) going to get noticed and therefore responded to.

    In fact I can't actually think of any real credible threat that this is an issue for. So as I ask pretty much anyone when they come up with some magical solution, or conversely a magical attack: What's your threat model?

  • (nodebb)

    Nowadays the key fob is replaced by an app on that smartphone you're (presumably) carrying anyway, but the original article is nearly 200 Internet Years old, so that wasn't really a thing back then.

    When I had to code up server-side logic for TOTP a few years ago, I just allowed for a few minutes of clock difference in either direction, and if you entered any code that was valid within that window, then it was accepted. If you were dealing with a device where you didn't expect it to re-synchronize its clock with anything any time soon, then I guess it would be a good idea for the server to record its current drift and take that into account next time.

  • (nodebb)

    Having dealyt with a good numbr of lost/stolen laptops over they years... having some form of security that is NOT "in the laptop bag" is key to any transportable machine...

    [And we will not go into the time all of the machines were stolen from an office 0one night]

Leave a comment on “Classic WTF: Security By Oblivity”

Log In or post as a guest

Replying to comment #:

« Return to Article