Consumers don’t need 2FA, they need password managers
I recently stopped actively enabling 2FA on most of the personal online accounts I use that don’t support my YubiKey, and even removed it from one I use regularly. If it’s behind a Single Sign-On portal (think “sign in with Google”) and I have a YubiKey setup for that identity provider, I make sure I log in via the SSO portal. Otherwise, I don’t bother, and just use a static password.
Here are some common ways account takeovers happen. I’m assuming targeted attacks here, for a particular person or company:
- Person(s) pick Winter2020! as a password, and the site or service doesn’t have very good brute-force prevention (or the attacker is Very Cool and has a bunch of IP addresses). Attacker just tries this on lots of users until it works for one.
- Someone downloads an dumped database of passwords or password hashes, finds one users’ email:password combination for a different service, optionally cracks it, tries it (and maybe variations) on the relevant one, and it works.
- Phishing (which is by far the easiest and most effective, and thus most common).
- Endpoint compromises; e.g. via opening word macros, signing in on a library computer, etc.
- Compromises of the actual service, probably because it’s self hosted and you don’t update it for a while, but maybe because someone found a bug in the mainline version.
Let’s go over each of these possibilities, with the fact that I use a password manager in mind:
All of my passwords are unique, 32+ characters long, and randomly generated alphanumeric strings. I find the possibility of #1 and #2 for the sites I use pretty far-fetched. My passwords normally have more entropy than hashing algorithms are even predicated to defend, so “brute-forcing” it is going to be as difficult as breaking whatever hash the site uses in the first place. While lots of sites don’t exactly use Argon2-plus-AEAD to store their passwords, most use something. Without looking, while I’m sure it has happened, I can’t recall any site I use ever having leaked the entirety of their users’ passwords in plaintext before. The worst I can think of was the Adobe breach, where they used AES-ECB instead of a hashing algorithm, and I didn’t even bother changing my password.
Phishing is something I still worry about, but as it happens, every 2FA available 2FA authentication mechanism besides YubiKeys does not provide meaningful protection against phishing. 2FA is not something that saves users from entering their credentials into the wrong website, because phishers can just also ask for the second authentication code along with your password. I still see this as something being reported as a benefit of 2FA — it’s not. Evilginx has supported sniffing of 2FA credentials for years at this point. It will even save the cookie sent back from the site so that the session doesn’t expire and attackers don’t have to wait for you to click the phishing link in real time. This obsoletes the vast majority of 2FA, because the vast majority of sites don’t support YubiKeys for personal accounts, and most consumers that use 2FA don’t own YubiKeys.
#4 is also something that 2FA does not protect against. If a targeted attacker has malware on my laptop, they can use my own, open browser to compromise every account I login with, from the time they drop the malware to the time they leave. The solution here is to not login to accounts on untrusted devices, and to not open word macros sent to you by email. I don’t do either of those things, and even if I did the 2FA once again provides no benefit.
Same with most instances of #5. I respect that it’s possible in theory to find an incomplete authentication bypass that gets around the need of a password, but not 2FA. I’ve read a lot of bug bounty reports and I’ve yet to encounter this in practice. I don’t know why 2FA would be a better protection against these issues than any other random over-complication.
And that’s what 2FA is for me. A needless burden. I don’t like bringing my always-online GPS tracker everywhere I go so that I can login to my online accounts. Almost nobody suggests using a “second factor” to supplement their SSH keys — why should I be using one on top of my KeePassXC database?
I am more sympathetic to the organizational requirement that accounts be protected TOTP codes or Duo, because it’s hard to be sure the 30 engineers under you aren’t going to leak their password somehow. Still, I’m confused by this scenario. Is buying your employees YubiKeys that expensive? Is using a business password manager that difficult? If I setup Keeper for five accountants, is one of them really going to give up their credentials to some dude that says he’s the county password inspector? Wouldn’t it be even easier to just ask them to login on his phishing URL, like what happened to Twitter?
Timed-One-Time-Passwords are one of those things like perfect forward secrecy that security researchers find very cool, but unfortunately almost never come up in practice. Intellectually I realize that they sound like a really cool idea; an ever changing passcode spit out by your smartphone is an impressive feat of cryptography. But as it stands, I’m going to just encourage people I know to keep their passwords stored in an online password manager, and maybe buy a YubiKey if they’re really serious about protecting themselves online.
