- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Many Security Very 2FA Such cyber
Admin
This is last century. The real solution would be, the token is integrated into the laptop and automatically enters the password when prompted.
Admin
This is what will eventually make 3FA a necessity
Admin
Yeah, because ... um ... well, no. The RSA token is meant to be easy to carry on a key ring, to the extent that they are sometimes called "RSA key fobs"...
But then, my company added (during the Covid lockdown times) a requirement for 2FA to access the company email server via its web interface. This wasn't actually to improve the "who can access it" security of the service, but to stop us from accessing it on non-company devices (like e.g. our home PC so we could keep tabs on what was going on during our vacation time)(1).
How do I know this? Well, the official instructions included downloading a TOTP browser plugin on the work laptop (Covid times => work-from-home => work laptop for everyone) and setting up the 2FA in that plugin. It means that the 2FA's second factor is right there on the PC next to the login page, with a name (suggested by the instructions) that makes it clear it's for the webmail...
(1) So instead I take the work laptop home every evening, and I can access my email from there...
Admin
As someone who carried around an RSA key in the 1990s, this actually isn't as stupid as it sounds. Two step authentication back then was purposed to avoid precisely the sort of problem that the OP describes -- writing the password down on a post-it attached to the desktop machine. (Trust me, I saw this happen all the time.) In principle, the same problem would occur if your (unencrypted, because stupidity) password was available over an internet hack.
In that case, the second (physical) step was actually a giant step forward. One might argue (and I did, at the time) that it obviates the need for the first step, which is obviously broken beyond repair, but in 99% of cases, it did in fact offer decent security. Obviously, if you get car-jacked in possession of a laptop with a sticky note attached and an RSA key, then it's kind of weak ... just about as weak as having the RSA key attached to your belt, in fact.
It was in fact so successful at <large financial corporation redacted)> that we only had security issues with:
Looking back at those years, I think (5) is probably far more worrying than the OP.
Admin
For those of us who don't carry purses, or do carry only small purses, one fob-like device is far too many to comfortably carry in a pocket. And for those of us who drive, our car fob already grossly over-fills our pockets. A 2FA key is way too large to expect anyone to carry in a pocket as a personal accessory.
I'd be happy if they re-minaturised car "keys" to be as small, light, and thin as they were in 1965. Despite the claims that car makers are building their cars solely for male tastes, ISTM the design of these monster fobs containing but a microchip is all about making them large enough to readily rummage for in a gigantic purse, not making them small enough to fit sleekly in a pants pocket.
Admin
I also think that it is inconvenient to carry your laptop on your key ring.
Admin
Agreed - much better than only passwords. In this form, the key token solves a similar problem to client certificates - to authenticate the computer. Slightly more secure than a client cert, because a piece of malware can't authenticate in the background.
Admin
Good idea for a patent.
If car key fobs are designed "for male tastes," then logically they should act as such. Insert key into ignition, and the fob automatically inflates to around 9" in length ....
Perhaps I'm overthinking this.
Admin
Admin
Anyone familiar with the procedure / algorithm used to deal with the drifting clock of the RSA token? Maybe they just allow a brief look-ahead and resynchronize on the minute boundary.
Admin
From what I remember, they just resynchronise and ask you to try again.
Those things were quite easy=going on retries back in the 1990s. You had to fail hard to get locked out.
Admin
5 reminded me of this XKCD:
https://xkcd.com/538/
Admin
Well, actually, if you think about it, any amount of multiple authorisations is inside out.
If everything was Bit-Lockered (or equivalent), then you really wouldn't need this. Want to access anything in the file system? Use the bit-locker password.
Admin
Except that 2FA can be (and is) used for access to remote stuff where end-users knowing the server's whole-disk encryption password is definitely not a good idea...
Admin
That is actually perfectly secure against by far the most common threat, a remote hacker. In fact the only attack it's really vulnerable to is someone who has physically stolen your laptop (and fob) while it was unlocked, which is (a) pretty unlikely and (b) going to get noticed and therefore responded to.
In fact I can't actually think of any real credible threat that this is an issue for. So as I ask pretty much anyone when they come up with some magical solution, or conversely a magical attack: What's your threat model?
Admin
Nowadays the key fob is replaced by an app on that smartphone you're (presumably) carrying anyway, but the original article is nearly 200 Internet Years old, so that wasn't really a thing back then.
When I had to code up server-side logic for TOTP a few years ago, I just allowed for a few minutes of clock difference in either direction, and if you entered any code that was valid within that window, then it was accepted. If you were dealing with a device where you didn't expect it to re-synchronize its clock with anything any time soon, then I guess it would be a good idea for the server to record its current drift and take that into account next time.
Admin
Having dealyt with a good numbr of lost/stolen laptops over they years... having some form of security that is NOT "in the laptop bag" is key to any transportable machine...
[And we will not go into the time all of the machines were stolen from an office 0one night]
Admin
so dope
Addendum 2023-08-23 23:41: The integrity of a business often hinges on its ability to protect sensitive data, and I've found a game-changer two factor authentication vendor . These services are the ultimate guardians of digital assets, ensuring that only authorized individuals can access critical information. With 2FA in place, busin
Admin
10 Failing Answers To Common Best British Pornstars Questions Do You Know The Right Answers? video