GlyphI wish infosec folks would spend more time talking about account recovery processes. Right now it feels like there’s a huge gap between “sms 1fa is fully sufficient for instant password reset” and “you own a yubikey so fuck you forever if you ever have a house fire”. And robust authentication protocols get subverted all the time by weak reset policies
If we are going to have fewer, higher value accounts that do auth across a zillion services (i.e. iCloud passkeys) account recovery should be loud (it should blast out notifications to every possible contact channel to ensure that you get notified if you’re being attacked by a reset attempt) expensive (it should take several days at minimum, giving you lots of time to respond to those notifications) and manual (human judgement should be necessary, but not sufficient, to do the final reset).
Provider-independent security systems like apple’s new end to end encryption should have secret-sharing social proof reset schemes where you can supply a quorum reset secret to several friends so that, for example, data can be unlocked in the event of your death. Pages of loud warnings are no substitute for thoughtful mandatory backstop procedures.
SolTwoOne@glyph I’m curious what you think of Apple’s recovery processes. They have recovery contact and legacy contact (provide access upon death). They both use two key shares (one with Apple, one with the chosen contact).
https://support.apple.com/guide/security/account-recovery-contact-security-secafa525057/web
https://support.apple.com/guide/security/legacy-contact-security-secebf027fb8/web
@SolTwoOne so, this is better than I remember it being; perhaps I didn’t catch updates after e2e shipped. I still want them to publish the process in a lot more detail, with screenshots of the flows involved for all parties and clear narrative explanations for why everybody needs this. And put it closer to the places where. i.e. you create an apple ID or do something irreversible like turning on FileVault or setting activation lock.
@glyph These were actually added last year in iOS 15, although without much fanfare. I think they were in preparation of E2EE iCloud. You have to enabled a recovery contact or recovery key (28 alphanumeric code) for Advanced Data Protection.
A flow chart would be really nice though. And I don’t think they have warnings for if you don’t enable ADP, although I haven’t made a new Apple ID in a long time so not sure.
As for your earlier SMS 2FA vs YubiKey lockout, I’m less familiar with but that could still be an issue. My understanding is if you have a logged in device, you’ll get notified of login attempts by a prompt on your trusted devices asking for approval which will supply the 6-digit 2FA code. If you don’t have a device, you can request a code via SMS instead. Not sure how this works if you enabled FIDO keys instead; the documentation just says you can be locked out if you lose all keys and trusted devices.
Someone on Reddit tested various scenarios if you’re interested: https://www.reddit.com/r/apple/comments/10mgr5l/security_keys_2fa_account_recovery_testing/
Resuna@SolTwoOne @glyph Until Apple allows open 2FA protocols, I don't care what they do. They don't allow open TOTP or FIDO and their non-SMS 2FA requires you own an iPhone.
@resuna @glyph They allow FIDO keys, fresh in the last OS update. https://support.apple.com/en-us/HT213154
@SolTwoOne @glyph That's a start. Now they need to support TOTP and support it on their website under all four major browsers and on Windows and Linux, and older operating systems, since it is a security update.
@resuna @SolTwoOne TOTP is worse, so I’d be happy if they skipped that but supporting FIDO2 auth on Windows is a necessary next step; enabling phishing-resistant 2FA still breaks a *little* too much functionality in your account
@glyph @SolTwoOne They already implement TOTP, it's just a proprietary incompatible TOTP that requires you own an iPhone.
@resuna @SolTwoOne you don’t actually need to own an iPhone, it can be a mac or an iPad too. Can you create an apple ID in the first place without owning one of those?
@glyph @SolTwoOne You need an Apple ID to buy music from the iTunes store even if you're on Windows.
raynor🌲 (not verified)@glyph I think there is an issue around differentiating threat models.
My great grandma has a low odds of a concentrated attack and fewer online accounts with less info, by two orders of magnitude than most people. SMS 1/2fa is probably most secure thing she can do, most effective, and appropriate for her circumstances.
So much of infosec, (1) focuses only on worst case scenarios and the highest threat models, (2) desires perfection, and (3) have access to systems that will be targeted.
@glyph yubikeys make sense for them, not for most people (usability matters!)
Re perfection: this is an engineering thing (guilty as charged), you want the things you create or are vested in to be flawless.
@raynor I agree with the vibe of what you’re saying here but not the specifics. We do sometimes catastrophize in infosec, but also, the increasing prevalence of spray-and-pray attacks is such that normies *do* get attacked in surprisingly sophisticated ways. More than one nontechnical acquaintance of mine has had their paypal account stolen in the last 3 months, for example, despite enabling 2FA. Phishing is cheap and easy for attackers.
@glyph Sure. I've seen that too.
I just think the threat modeling is part of the gap. You can put in a middle ground between grandma and infosec.