LWN: Comments on "A report from the Enigma conference"

A report from the Enigma conference

nix — Wed, 21 Mar 2018 16:25:19 +0000

The tablet is not transparent. I think you'd need three mirrors, in a triangle. :)

A report from the Enigma conference

nybble41 — Wed, 07 Mar 2018 20:40:57 +0000

That is a legitimate annoyance when you're trying to set up TOTP from a QR code displayed on the same device. They should provide the key in plain text which you can copy and paste into the app. The typical reason for not doing this is to mitigate the risk that a rogue app could capture the credentials from the clipboard, but IMHO that decision should be up to the user. Another option, both easier for the user and likely more secure than using the clipboard, would be to provide a link to a URI which opens in the TOTP app. (The current version of Google Authenticator does allow setup via a text key, not just QR codes. I'm not sure whether it supports setup by URI link.)

As for workarounds, if you have a second tablet or smartphone handy you could take a photo of the screen and then scan that. You could also take a screenshot of the QR code and either print it out or display it on another screen, or just run the screenshot through a QR decoder and use the raw text.

A report from the Enigma conference

sfeam — Wed, 07 Mar 2018 18:42:19 +0000

Mirror? umm - Two mirrors?

A report from the Enigma conference

nix — Wed, 07 Mar 2018 18:39:11 +0000

Last time I tried to use a tablet for this stuff Google Authenticator demanded that I take a photo of some auth code (not a screenshot, a photo). This was less than practical since the camera was of course *on* the tablet and it can't take a photo of its own screen.

(I'm sure this was just a simple stupidity that's since been fixed, but I had these over and over again and after the fifth stupid roadblock I just gave up for the time being. It's not like I can do this except when the account owner is around anyway...)

A report from the Enigma conference

nix — Wed, 07 Mar 2018 18:37:13 +0000

That's *definitely* not true in all countries or with all telcos.

A report from the Enigma conference

nybble41 — Tue, 06 Mar 2018 16:26:17 +0000

> And an offline 2FA method other than U2F was not, as far as I can recall, available when I set this up.

Google Authenticator, or the equivalent, was an option long before U2F was standardized.

> Doubly so when you consider that if they don't have mobile phone coverage a tablet is likely to be fairly useless to them as well.

In what world are tablets primarily used with mobile networks, as opposed to WiFi? Last time I checked (which I admit was some time ago) integrated mobile connectivity was still an optional feature not present on all tablets.

Anyway, you don't need a tablet for Google Authenticator or FreeOTP; any smartphone will do. In a pinch you could even set up compatible TOTP software on a laptop or PC. It doesn't require mobile coverage; technically it doesn't even require an Internet connection once the software is downloaded. Setup can be completed offline, and consists of either scanning a QR code or pasting in a URI string. Codes are likewise generated offline.

A report from the Enigma conference

zdzichu — Tue, 06 Mar 2018 13:24:47 +0000

Why moving house is a problem with phone number? You can move ("port") your number to your new address, even between different telecoms. The days when telephone number depended on physical location ended sometime in last century.

A report from the Enigma conference

nix — Tue, 06 Mar 2018 12:38:59 +0000

The backup codes are probably what we're going to do. As for the 'correct phone number', this problem arises whenever people using landline phones move house. That's not that rare.

(And an offline 2FA method other than U2F was not, as far as I can recall, available when I set this up. Doubly so when you consider that if they don't have mobile phone coverage a tablet is likely to be fairly useless to them as well. They do have one now, but it gets charged so rarely that it's never working when they need it.)

A report from the Enigma conference

mathstuf — Mon, 05 Mar 2018 23:08:53 +0000

Yeah, they're an independent thing, but I store them next to the TOTP key (which is duplicated for backups) as well as ciphered on paper I keep around.

A report from the Enigma conference

nybble41 — Mon, 05 Mar 2018 22:10:38 +0000

So far as I know, while they both meet the definition of "one-time password", Google's "backup codes" are independent of the time-varying TOTP codes which you would get from Google Authenticator or FreeOTP. There is no app and no URI or QR code, just a predetermined list of 10 static codes, each of which can be used at most once in an emergency. If you need more you have to go back to your account page at Google and download a new list.

A report from the Enigma conference

mathstuf — Mon, 05 Mar 2018 20:19:21 +0000

Yeah, those are what I meant by "one-time passwords". Personally I use `oathtool` to generate codes on my machines. For Android, I'd recommend FreeOTP (though I believe a fork has appeared since I last used it) since it's actually FOSS unlike Google's app.

A report from the Enigma conference

nybble41 — Mon, 05 Mar 2018 19:48:53 +0000

Google also offers "backup codes"[1] which can stored offline and used in place of other 2FA methods. The problem nix described is easily solved by generating a list of backup codes and using one of those codes to update the phone number (or disable 2FA entirely and start over). Of course, this problem wouldn't have existed if the account had been set up with the correct phone number in the first place. For that matter, an offline 2FA method like Google Authenticator would have been a much better choice than phone-based authentication, given the connectivity issues.

[1] https://support.google.com/accounts/answer/1187538?hl=en

A report from the Enigma conference

mathstuf — Mon, 05 Mar 2018 19:04:29 +0000

I agree that if 2FA were tied to phones, it'd be crap. Luckily, you can usually extract the secret key using a barcode scanner to get the URL. This is what I do to store the secret on an encrypted USB key that I use to get my codes; my phone is actually really "dumb" for these codes.

I don't know what I'd recommend for tech-unsavvy users like my family if they didn't have reasonable coverage and service to their typical locations. Even then I'd recommend some device that is less prone to mistakes than a cellphone for these codes. At least a moderately ciphered note in a wallet or something for one-time passwords.

"Otherwise, the last smoker would have quit by now"

nix — Sat, 03 Mar 2018 17:20:17 +0000

They also require me to use a 2FA gadget with my chip-and-pin card for some actions

So does mine. The gadget's battery recently ran out, and they required me to generate a 2FA token with it to prove that I owned it before they'd send me a new one. This did not seem terribly well thought out.

(Thankfully this is an old-school bank that still has things like local branches, so it was easy to pop into one of those and get it changed.)

A report from the Enigma conference

nix — Sat, 03 Mar 2018 17:17:57 +0000

2FA is not all it's cut out to be. I used to love it. I encouraged my parents to turn on Google 2FA using a landline phone as their authenticator in addition to a U2F token, so an attacker taking over their horribly insecure Windows desktops couldn't steal all their email and the like. They did this at my house because that's where we were at the time, and because I cared more about their security than they did, so stewardship as noted in the article seemed like a good idea -- but when they went back home (to an area entirely without mobile phone coverage), they couldn't switch off phone authentication or switch to their phone because it insisted on calling my phone with a security code to do so (which I couldn't pass on to them before token expiry because I was, of course, *on the phone*).

They also can't change phone to their landline, whether they're near my phone or theirs, even if we were to add a mobile number as an authenticator, because doing so requires receiving a phone call to one of the existing phones on the account *and* to the new phone within a few tens of seconds, which given that you have to travel for ten minutes to get mobile phone coverage where they live and that the two landline phones are hundreds of miles apart is never going to work.

My parents now hate 2FA, because its sole purpose seems to be to lock them out of their accounts through half-thought-out mis-security that assumes that everyone has a mobile phone and never leaves areas with good coverage. Eventually their single remaining hardware U2F authenticator will break or get lost (adding a new one requires, you got it, a phone call to one of the phones) and they'll be unable to use their Google accounts at all. The total lack of human support of any sort at Google means that this is unfixable. I find myself a lot less admiring of 2FA myself, as well, at least as long as companies continue to insist that phones are in some way privileged so that a lot of auth requests require the phone rather than or as well as some other 2FA device, and that once you have a phone you necessarily have access to it at all times and will never lose access to it or be unable to receive calls on it.

This stuff probably also goes disastrously wrong for people who use a landline phone as a 2FA authenticator and who move house without porting the number (which in the UK is essentially everyone who moves house and has a landline, since landline number porting here is very much in its infancy).

(Some of this may be old info: we tried fixing this several years ago, then stopped, because if for any reason Google decided that it *needed* phone authentication rather than U2F to let them into their account -- and it seemed to insist on phone authentication for so many things! -- they'd be stuck, locked out of their account forever. So things might be better now and we might be able to fix this clusterfuck, but we don't dare try to find out.

This is, I note, the sort of messup someone who is actually related to multiple Google employees can get into: not even they can help, because they work in the wrong part of the organization and new tech companies other than Amazon have nothing remotely resembling tech support that normal humans can contact. I can't imagine how bad the messes might be that random members of the public can get into.)

A report from the Enigma conference

oldtomas — Sat, 24 Feb 2018 14:15:25 +0000

Very good writeup on a fascinating subject, thanks for that.

Security is a social phenomenon, who'd think that? Yes, at the bottom of all that it's a question of trust. Trust your distro, trust your hardware vendor (HAH), trust the theoreticians who know much more than you...

We geeks get so worked up about the technical aspects of security that we tend to forget that technology is just an instrument to help us in making transparent *what* or *who* it is we decide to trust.

One thing which was somewhat appalling for me was this perspective of the "big platforms" on this problem: users as a somewhat dumb mass you've got to nudge so they do what you think is the right thing (and for that you experiment with them, as if they were cell cultures). This, for me, is dystopia, and is the reason I try (at some cost) to avoid the Facebooks and Googles of this world.

A report from the Enigma conference

jake — Mon, 19 Feb 2018 18:18:27 +0000

> This is a fascinating article

Glad you liked it ...

> I'm glad LWN went to cover this conference

We can't really take any credit for that part, though. Thanks are due to Christian for going (and writing it up for us) and the Swiss Cyber Storm conference that helped with his travel costs.

jake

A report from the Enigma conference

emptysquare — Mon, 19 Feb 2018 18:07:32 +0000

This is a fascinating article, well-reported, sounds like a great conference. I'm glad LWN went to cover this conference, it's much better reading and more informative than the usual security news.

Two-factor authentication requires even more information

dune73 — Mon, 19 Feb 2018 04:24:00 +0000

This was named as one of the reasons people chose not to use 2FA in the presentation.

A report from the Enigma conference

pabs — Sun, 18 Feb 2018 01:02:01 +0000

s/new/few/

A report from the Enigma conference

pabs — Sun, 18 Feb 2018 01:01:33 +0000

> They consented to Facebook's Terms of Service

It is extremely unlikely those have ever had informed consent. Even the new people who gave informed consent were probably coerced by the FOMO.

Two-factor authentication requires even more information

NAR — Fri, 16 Feb 2018 18:10:26 +0000

I think Google or Facebook tend to know a lot more about its users than they'd prefer, so giving even more information (a phone number) might not be that tempting...

A report from the Enigma conference

excors — Fri, 16 Feb 2018 15:40:12 +0000

They consented to Facebook's Terms of Service, which says "By using or accessing Facebook Services, you agree that we can collect and use such content and information in accordance with the Data Policy as amended from time to time", and the Data Policy says "We conduct surveys and research, test features in development, and analyze the information we have to evaluate and improve products and services, develop new products or features, and conduct audits and troubleshooting activities". The behaviour described in this article sounds like conducting research and testing features and analyzing information with the goal of improving Facebook's services (maybe not directly but as a byproduct of the research).

The Data Policy also says "We transfer information to [...] other partners who globally support our business, such as [...] conducting academic research and surveys. These partners must adhere to strict confidentiality obligations in a way that is consistent with this Data Policy and the agreements we enter into with them", so it seems fine that Facebook worked with a university researcher on this.

A report from the Enigma conference

robbe — Fri, 16 Feb 2018 15:10:44 +0000

> He looked at data from 750,000 Facebook users…
Did these users consent to take part in his study, or are we again studying unwitting cattle?

"Otherwise, the last smoker would have quit by now"

robbe — Fri, 16 Feb 2018 15:06:30 +0000

To be fair, this was Mrs Sedova’s idea, as can be seen in her slides.

"Otherwise, the last smoker would have quit by now"

mpr22 — Fri, 16 Feb 2018 08:37:09 +0000

My bank asks me to choose a five-digit passcode and a limited-length non-dictionary word, and never asks me to type the whole word. (They also require me to use a 2FA gadget with my chip-and-pin card for some actions, and now that I have one so that next time I move house I can update my address without physically going into a branch, the set of gadget-requiring actions is larger.)

My credit card issuer, which happens to be a tentacle of my bank, asks me to set a six-digit passcode and a limited-length non-dictionary word, and again, never asks me to type the whole word.

"Otherwise, the last smoker would have quit by now"

shemminger — Fri, 16 Feb 2018 00:09:09 +0000

Like many trainings the message doesn't match the action.
Often the problem is that a site or corporate resource thinks too highly of them self. I don't need a strong password for trivial sites; but my bank won't let me use a long password or many punctuation characters.

"Otherwise, the last smoker would have quit by now"

dune73 — Thu, 15 Feb 2018 16:39:21 +0000

Thank you. I thought the analogy was quite striking.

dune73 / Christian Folini

"Otherwise, the last smoker would have quit by now"

Herve5 — Thu, 15 Feb 2018 16:03:29 +0000

I *loved* this remark :-)
That too is part of LWN coolness...