GlyphI wish infosec folks would spend more time talking about account recovery processes. Right now it feels like there’s a huge gap between “sms 1fa is fully sufficient for instant password reset” and “you own a yubikey so fuck you forever if you ever have a house fire”. And robust authentication protocols get subverted all the time by weak reset policies
If we are going to have fewer, higher value accounts that do auth across a zillion services (i.e. iCloud passkeys) account recovery should be loud (it should blast out notifications to every possible contact channel to ensure that you get notified if you’re being attacked by a reset attempt) expensive (it should take several days at minimum, giving you lots of time to respond to those notifications) and manual (human judgement should be necessary, but not sufficient, to do the final reset).
Provider-independent security systems like apple’s new end to end encryption should have secret-sharing social proof reset schemes where you can supply a quorum reset secret to several friends so that, for example, data can be unlocked in the event of your death. Pages of loud warnings are no substitute for thoughtful mandatory backstop procedures.
SolTwoOne@glyph I’m curious what you think of Apple’s recovery processes. They have recovery contact and legacy contact (provide access upon death). They both use two key shares (one with Apple, one with the chosen contact).
https://support.apple.com/guide/security/account-recovery-contact-security-secafa525057/web
https://support.apple.com/guide/security/legacy-contact-security-secebf027fb8/web
Resuna@SolTwoOne @glyph Until Apple allows open 2FA protocols, I don't care what they do. They don't allow open TOTP or FIDO and their non-SMS 2FA requires you own an iPhone.
@resuna @glyph They allow FIDO keys, fresh in the last OS update. https://support.apple.com/en-us/HT213154
@SolTwoOne @glyph That's a start. Now they need to support TOTP and support it on their website under all four major browsers and on Windows and Linux, and older operating systems, since it is a security update.
@resuna @SolTwoOne TOTP is worse, so I’d be happy if they skipped that but supporting FIDO2 auth on Windows is a necessary next step; enabling phishing-resistant 2FA still breaks a *little* too much functionality in your account
@glyph @SolTwoOne They already implement TOTP, it's just a proprietary incompatible TOTP that requires you own an iPhone.
@resuna @SolTwoOne you don’t actually need to own an iPhone, it can be a mac or an iPad too. Can you create an apple ID in the first place without owning one of those?
@glyph @SolTwoOne You need an Apple ID to buy music from the iTunes store even if you're on Windows.