Ted SpenceLet’s talk about a problem - software cannot be trusted anymore. In the past, if I allowed an app to send me notifications, I’d get alerted for things I wanted to hear about. Now every app uses spurious notifications as a way to artificially boost their daily active user count. I am one by one having to shut off notifications on apps that used to be reliable products. I’ve disabled notifications on linkedin because it keeps sending me ads and random unnecessary alerts.
We fundamentally need a new type of option: the ability to grant software privileges that are completely phony. I need to be able to *pretend* to grant an app the ability to send me notifications, but then to have all those notifications sent into the void. Untrustworthy software should not be able to know what privileges I have granted it.
Daniel Durrans@Tedspence @revk “Yes you can know my location... which I will select from a map while granting the permission”
Royce WilliamsI see the point and agree - just adding some nuance:
In the authentication realm, relatively authentic location is pretty useful. As a defender, reducing the cost of an attacker faking the location of an MFA prompt trigger ... makes things worse. (May still be worth the trade-off, though - YTMMV)
@tychotithonus @danieldurrans @revk authentic data and authentic apps do go together - no argument from me. But when sketchy apps start asking for access to the clipboard, to Bluetooth, to local networking - why should they deserve to know I have denied them access?
Totally agreed - the tricky part is that an attacker can use the same layer to lie to an authentic app. (But that use case may be more rare than the ones you're advocating for!)
@tychotithonus @danieldurrans @revk if you use denial of privileges to lie to an authentication server, wouldn’t the risk just be that your own access would be locked out, or that your own login data would be less secure?
@Tedspence
To clarify, I'm thinking of the use case where the legitimate user who is being presented with an MFA prompt is also presented with the location that the original authentication request came from, as a rough way to discern MFA triggers initiated by an attacker who has guessed or stolen their password. The user is shown a location name, and/or map where the request came from. This is an MFA fatigue/bombing countermeasure (that isn't perfect, but does raise the cost to the attacker).
And to further clarify, I suspect that what you're after is worth this trade-off. It's just something that defenders need to keep in mind as well.
@tychotithonus @danieldurrans @revk yeah, the worst problem I could imagine is a sketchy app that happens to use a legitimate authentication provider. What happens if a silly mobile game tries to use google auth? The invalid location data you provide to a sketchy app would then reduce the effectiveness of google auth for real apps. Maybe this argues towards handling OAuth requests through some sort of OS interface that bypasses embedded web browsers.