Firefox 70 released [LWN.net]

Firefox 70 released

Posted Oct 24, 2019 18:58 UTC (Thu) by mathstuf (subscriber, #69389)
In reply to: Firefox 70 released by josh
Parent article: Firefox 70 released

> I use an authenticator app for [TOTP secrets].

With access to the password store and TOTP secrets essentially guarded by just a PIN code or fingerprint (and the same one at that), I don't find a compelling argument that having both on a device is actually using two factors (or does Firefox Sync make you unlock it after each use?). All my password database applications are set up to require a password on any use (with a longer timeout where it makes sense). The TOTP secrets are just guarded by either the Yubikey (which is a thing-you-have) that has a remembered password on my trusted devices (so that just stealing it isn't an end-of-the-world problem) or is stored on an encrypted USB drive (using the aforementioned setup). That actually keeps the thing-you-have property of the second factor.

> I use Firefox on Android, and it syncs passwords to there.

I use Klar (the always-private-browsing-mode variant) which doesn't as my main browser. I also have the Android variant installed, but mainly for just having an easy way to share pages through it to my other machines via Firefox Sync. Granted, not a problem for most :) .

In any case, it seems that I'll need to figure out some other syncing mechanism for Android since things like Syncthing (which I use) and Dropbox are basically dead with the new API restrictions that will be required next year (the Q API doesn't allow direct filesystem access and Google has been raising the minimum allowed version about a year after it was introduced). Hopefully F-Droid can extend my usage until a new solution is found, but I have low hopes for Google being reasonable here.

to post comments

Firefox 70 released

Posted Oct 25, 2019 18:24 UTC (Fri) by raven667 (guest, #5198) [Link] (6 responses)

> having both on a device is [not] actually using two factors

Sure, that's true but it's better than TOTP over SMS (hi @jack) and even SMS TOTP is better than not and prevents millions of account takeovers. I too have TOTP tokens on a Yubikey (to make it easier to switch between phone, laptop and desktop) but even getting people to use a password manager at all is a pretty heavy lift and more inconvenience that many will tolerate, so anything that makes it easier lowers the bar for use and raises the bar for minimum security, its something that scales to improve the security for billions of people, in a way that complex multi-step procedure does not.

Firefox 70 released

Posted Oct 25, 2019 18:48 UTC (Fri) by apoelstra (subscriber, #75205) [Link] (4 responses)

> even SMS TOTP is better than not and prevents millions of account takeovers

Maybe. But it causes phone accounts to be taken over, and unlike the situation online accounts, this cannot be prevented by conscientious users. The fact that many websites (especially American banks) *require* SMS based 2FA has been a massive detriment to my security, and the security of many people I know.

Firefox 70 released

Posted Oct 28, 2019 18:51 UTC (Mon) by raven667 (guest, #5198) [Link] (3 responses)

> Maybe. But it causes phone accounts to be taken over, and unlike the situation online accounts, this cannot be prevented by conscientious users.

Is security something that only conscientious users should enjoy, or something that should be baked into the defaults. I understand that SMS 2FA puts more strain on the phone system's security, but it also puts more strain on attackers and slows them down too.

> SMS based 2FA has been a massive detriment to my security

Compared to passwords alone without any second factor? SMS 2FA is worse than just bare passwords, is that your claim?Needing to do SIM cloning to intercept SMS is a significantly higher bar than just compromising the Cat Fancy blog comment system and trying all the creds on Bank of America website or similar. Its not that its impossible to beat, we both know it isn't, but whether it's better than the status quo. Password managers and random shared secrets are better than using shared common passwords across many sites, SMS 2FA is better, Phone 2FA is better still and an external token is best.

Firefox 70 released

Posted Oct 28, 2019 21:11 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (1 responses)

I think the issue is that companies add SMS 2FA and say they're done. Supporting the more secure variants is still necessary for those who want to be more secure. But too often I've seen response along the lines of "but we have it already" and having to explain why it's not sufficient for me is exhausting. I should probably push hard on my financial institutions (e.g., Fidelity finally has SMS which I did enable, but while other methods are possible across their setup, they're not available for my account type).

Firefox 70 released

Posted Oct 28, 2019 22:31 UTC (Mon) by pizza (subscriber, #46) [Link]

Plus, even putting aside the security flaws inherent to SMS, reliable SMS delivery is not a given -- for example, during international travel. Or should your phone suffer a catastrophic failure. Or both simultaneously.

Firefox 70 released

Posted Oct 29, 2019 20:56 UTC (Tue) by apoelstra (subscriber, #75205) [Link]

> Is security something that only conscientious users should enjoy, or something that should be baked into the defaults.

Of course security should not be limited to conscientious users, but SMS 2FA strictly increases the conscientiousness you need to be secure. With 1FA you need to use strong unique passwords; with SMS 2FA you also need to use non-public throwaway phone numbers. I know several people personally who have had their numbers ported, which led to multiple simultaneous account compromises (even when using unique passwords), not to mention being extremely inconvenient.

> I understand that SMS 2FA puts more strain on the phone system's security, but it also puts more strain on attackers and slows them down too.

It doesn't seem to put any strain on the phone system's security. Phone companies are happy to let attackers port arbitrary numbers with basically no resistance and then absolve themselves of all responsibility. As far as I know no legal system in the world holds them accountable for this.

Firefox 70 released

Posted Oct 26, 2019 12:45 UTC (Sat) by mathstuf (subscriber, #69389) [Link]

The main problem I have with TOTP-over-SMS is that I can't back it up. I have TOTP secrets encrypted and geographically backed up. I can't do that with my SIM card (well, at least not without SIM hijacking or swapping myself). Not to mention the lack of trust I have for telephone companies in the first place.

As for getting people to use password managers, I have gotten my family onto LastPass. They also have Yubikeys now, but that involves some more instruction over time and hasn't been as easy for them to start using. Now that U2F is more widely available, hopefully there will be some time over the holidays to get that working for them.