GlyphI wish infosec folks would spend more time talking about account recovery processes. Right now it feels like there’s a huge gap between “sms 1fa is fully sufficient for instant password reset” and “you own a yubikey so fuck you forever if you ever have a house fire”. And robust authentication protocols get subverted all the time by weak reset policies
If we are going to have fewer, higher value accounts that do auth across a zillion services (i.e. iCloud passkeys) account recovery should be loud (it should blast out notifications to every possible contact channel to ensure that you get notified if you’re being attacked by a reset attempt) expensive (it should take several days at minimum, giving you lots of time to respond to those notifications) and manual (human judgement should be necessary, but not sufficient, to do the final reset).
Provider-independent security systems like apple’s new end to end encryption should have secret-sharing social proof reset schemes where you can supply a quorum reset secret to several friends so that, for example, data can be unlocked in the event of your death. Pages of loud warnings are no substitute for thoughtful mandatory backstop procedures.
SolTwoOne@glyph I’m curious what you think of Apple’s recovery processes. They have recovery contact and legacy contact (provide access upon death). They both use two key shares (one with Apple, one with the chosen contact).
https://support.apple.com/guide/security/account-recovery-contact-security-secafa525057/web
https://support.apple.com/guide/security/legacy-contact-security-secebf027fb8/web
@SolTwoOne so, this is better than I remember it being; perhaps I didn’t catch updates after e2e shipped. I still want them to publish the process in a lot more detail, with screenshots of the flows involved for all parties and clear narrative explanations for why everybody needs this. And put it closer to the places where. i.e. you create an apple ID or do something irreversible like turning on FileVault or setting activation lock.
@glyph These were actually added last year in iOS 15, although without much fanfare. I think they were in preparation of E2EE iCloud. You have to enabled a recovery contact or recovery key (28 alphanumeric code) for Advanced Data Protection.
A flow chart would be really nice though. And I don’t think they have warnings for if you don’t enable ADP, although I haven’t made a new Apple ID in a long time so not sure.
As for your earlier SMS 2FA vs YubiKey lockout, I’m less familiar with but that could still be an issue. My understanding is if you have a logged in device, you’ll get notified of login attempts by a prompt on your trusted devices asking for approval which will supply the 6-digit 2FA code. If you don’t have a device, you can request a code via SMS instead. Not sure how this works if you enabled FIDO keys instead; the documentation just says you can be locked out if you lose all keys and trusted devices.
Someone on Reddit tested various scenarios if you’re interested: https://www.reddit.com/r/apple/comments/10mgr5l/security_keys_2fa_account_recovery_testing/
Resuna@SolTwoOne @glyph Until Apple allows open 2FA protocols, I don't care what they do. They don't allow open TOTP or FIDO and their non-SMS 2FA requires you own an iPhone.
@resuna @glyph They allow FIDO keys, fresh in the last OS update. https://support.apple.com/en-us/HT213154
@SolTwoOne @glyph That's a start. Now they need to support TOTP and support it on their website under all four major browsers and on Windows and Linux, and older operating systems, since it is a security update.
@resuna @SolTwoOne TOTP is worse, so I’d be happy if they skipped that but supporting FIDO2 auth on Windows is a necessary next step; enabling phishing-resistant 2FA still breaks a *little* too much functionality in your account
@glyph @SolTwoOne They already implement TOTP, it's just a proprietary incompatible TOTP that requires you own an iPhone.
@resuna @SolTwoOne you don’t actually need to own an iPhone, it can be a mac or an iPad too. Can you create an apple ID in the first place without owning one of those?
@glyph @SolTwoOne You need an Apple ID to buy music from the iTunes store even if you're on Windows.
raynor🌲 (not verified)@glyph I think there is an issue around differentiating threat models.
My great grandma has a low odds of a concentrated attack and fewer online accounts with less info, by two orders of magnitude than most people. SMS 1/2fa is probably most secure thing she can do, most effective, and appropriate for her circumstances.
So much of infosec, (1) focuses only on worst case scenarios and the highest threat models, (2) desires perfection, and (3) have access to systems that will be targeted.
@glyph yubikeys make sense for them, not for most people (usability matters!)
Re perfection: this is an engineering thing (guilty as charged), you want the things you create or are vested in to be flawless.
@raynor I agree with the vibe of what you’re saying here but not the specifics. We do sometimes catastrophize in infosec, but also, the increasing prevalence of spray-and-pray attacks is such that normies *do* get attacked in surprisingly sophisticated ways. More than one nontechnical acquaintance of mine has had their paypal account stolen in the last 3 months, for example, despite enabling 2FA. Phishing is cheap and easy for attackers.
@glyph Sure. I've seen that too.
I just think the threat modeling is part of the gap. You can put in a middle ground between grandma and infosec.
Noah K@glyph a few days can be a big problem if, say, your bag gets stolen. Esp while traveling. Not that I have a great counter offer :/
Cassandrich@coderanger @glyph Letting users decide. You can do this with questionaires about hypothetical situations or an advanced mode where user spells it out directly in a sort of DSL.
@dalias @coderanger yeah this is exactly the sort of thing I’d like to see discussion of! The issue is really complex, but it’s treated as an afterthought.
Stuart Schechter@glyph See also:
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/paper1459-schechter.pdf
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/PasswordDoesNotWork.pdf
Sadly, none of the big email providers (to which password reset emails go to) or companies making password managers publish data on account loss or compromises due to recovery mechanisms.
So much of the research in the area gets ignored.
Having spent the last four years building out a new account recovery mechanism, it's frustratingly hard to get adoption because key players don't measure or publish account loss rates.
James Devine@glyph Agreed. Also, if I can run 2FA at home on my own Mastodon server, why not every single commercial entity that wants to keep my credit card on file for "future purchases"?
Knowing that they probably already have my number on file for the purchase in the first place, just they'd store it in an even less secure place.
Excellent point on the fire issue (or loss of keyring!). I do have a spare, but (preemptive facepalm) it's still in the box!
@glyph I've talked about this since 2018, and have acquired a lot of haters as a result.
https://stuartschechter.medium.com/before-you-turn-on-two-factor-authentication-27148cc5b9a1
OldeNaturalist@glyph case in point. My ocado was compromised a couple of years ago - only password is needed, and once logged in email address can be changed with NO confirmation to current email. At that point, you're locked out and Ocado won't change it back, reset it, or let you back into your account. You have to create a new one from scratch.
Hundreds of pounds of alcoholic drinks ordered on stolen credit card. No checks. 🙄
LisPi
Timo J@glyph Instead of a book of passwords, we now have a Mitt Romney-style binder of emergency recovery codes.
shac ron ₪@glyph I’d like protection against getting a bump on my head and forgetting my password (or my death so my family can recover it). I’d like a physical token, like a printed plastic card, that can reset my master passwords.
gfox (defunct)@glyph @briankrebs I also wish infosec/systems/app engineers would take into account population age. My 88 yr old mother in law struggles with password use let alone 2FA. I’ve now got her using a password manager, but she still uses the same 4 different passwords for everything. I’ve never suggested 2FA to her because I know she will not understand the process, nor how to follow it.
Carnildo@muddylaces @glyph @briankrebs My uncle's solution is a spiral notebook in a locked filing cabinet. I figure it's more secure against the sort of threats he faces than anything electronic.
Zimmie@glyph This honestly seems like a missed opportunity for banks with physical locations. They already have account locking and unlocking processes. If they had jumped on computer tech early instead of dragging their feet, personal authentication could have been very different.
@glyph I refuse to use any 2FA system I'm not actively forced to that doesn't allow a redundant array of dissimilar authenticators. SMS is not one of the acceptable authenticators. Yes I'm looking at you Apple, I'm not buying an iPhone just for your 2FA.
It's really bad for the homeless because the really cheap subsidized cellphone services don't let you keep the number, and losing all your stuff including the contents of your pockets happens often enough to make recovery a regular exercise.
Alison@glyph i was thrilled to install the latest macOS/iOS update to start using my yubikeys as a second factor, and immediately noped back out when i realized it requires disabling the old behavior.
and like, at some point i'll go back and turn it on anyway? but not until i have the energy to give two trusted friends each a backup key to cover the house fire scenario 🥲
@allykzam yep, exactly the same reaction here. I need to do some more prep work.
D2@glyph @0xabad1dea I literally find myself at this juncture right now. Want to have something I trust, something hard-to-steal/bypass/subvert, something redundant (but where I control the redundancy/recoverability) and that I have reasonable odds of loved-ones embracing.
The genie joke comes to mind… https://www.jokeindex.com/joke.asp?Joke=3529