|
|
Subscribe / Log in / New account

Many organizations are moving to 2FA/MFA

Many organizations are moving to 2FA/MFA

Posted Jul 14, 2022 11:34 UTC (Thu) by hmh (subscriber, #3838)
In reply to: Many organizations are moving to 2FA/MFA by roc
Parent article: "Critical" projects and volunteer maintainers

It is not even that selective / troublesome. Requires 2FA is not the same as requires a dedicated hardware token.

2FA apps running in a (hopefully separate) device are almost always accepted as well, at least for the forges.

So, your typical floss developer, even in areas where hardware tokens are either expensive or hard to acquire, can trivially get past that bar.

There really isn't any excuse for not mandating 2FA other than credential recovery procedures, as long as it is an interoperable one that is not going to cause any sort of vendor lock-in.

The recovery procedures are a indeed a concern, though.

to post comments

Many organizations are moving to 2FA/MFA

Posted Jul 14, 2022 15:15 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

Of the practical options at scale, only FIDO (via WebAuthn in the case of the web, directly supported in your SSH client, or native APIs in smart phones) actually makes this attack (on user authentication) so difficult that adversaries will give up.

TOTP can be phished, it's maybe going to be a bit harder to phish the sort of person who writes a Python package than my mother, but on the other hand it's probably a spear phishing exercise and so the attacker is putting real work in not just spewing out a million bogus emails claiming to be from FedEx or whoever. This is why FIDO is so important that it's worth spending money (not very much money in the larger scheme of things, but spending money is annoyingly difficult in the sort of organisations that have money) to give people FIDO authenticators rather than just point them at TOTP. The "cheapest" viable attacks on FIDO appear to be: Persuade the user to give you their physical token e.g. call them and insist it needs replacing, send a "courier" to pick it up (this sounds like a good way to get arrested, Police may not understand Internet crimes, but they have seen this trick done with credit cards for decades). Persuade the user to install malware which can request suitable login credentials and send them to you, and then persuade the user to physically authorise that authentication. Both ideas are something you could imagine a state actor pulling off but aren't very practical for small time crooks, bored teenagers and suchlike real world attackers.

The difficult-to-acquire thing is probably given a misleading impression by the fact these tend to be US projects. Americans have a much easier time sending physical objects to a handful of countries and those are listed. But I assure you that a hacker living in Moscow right now, regardless of how they feel about their country's invasion of Ukraine, can get themselves a FIDO authenticator if they want one for example.

Many organizations are moving to 2FA/MFA

Posted Jul 14, 2022 19:34 UTC (Thu) by roc (subscriber, #30627) [Link]

Number porting attacks appear too easy for me to trust SMS code delivery. I've removed that option from my accounts wherever possible.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds