this post was submitted on 14 Jan 2024
1430 points (97.3% liked)

Greentext

4464 readers
1313 users here now

This is a place to share greentexts and witness the confounding life of Anon. If you're new to the Greentext community, think of it as a sort of zoo with Anon as the main attraction.

Be warned:

If you find yourself getting angry (or god forbid, agreeing) with something Anon has said, you might be doing it wrong.

founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 10 months ago

Better than that is certificate based 2FA. FIDO keys like yubikeys are a good example. The challenge goes into the key, the response comes out. The certificate on the key that is used to process the challenge never leaves the device where it is located.

TOTP is nice that you can enroll several devices and have backups, something that can be easily solved with FIDO by simply having multiple of them. When the keys go for something like $30 USD and provide some of the best security, there's no reason not to use it. It's simply too cheap not to.

TPM leveraged to use webauthn is an up and coming technology, similar to FIDO it uses key based security and the vault is secured, usually with biometrics integrated into the system. Of course, that's not exactly portable, so IMO, that's a good option for convenience and having a pair of FIDO keys, one to carry, one as a backup, is a good secondary/on-the-go option.

TOTP and similar tech has been around forever. RSA keyfobs have been issued by banks for corporate accounts for a long time, since before SMS authentication was in use. It's basically mobile TOTP (six digit rotating code every 30s or so) as a standalone device. Banks support (or at least supported) this. Yet, TOTP is basically unheard of from banks or governments, and you can forget about certificate based authentication.

Bluntly, I have better login security on my email, Twitter, Twitch... Even snapchat accounts than I do with my bank. All are at least TOTP. The problem, I find, with TOTP is that people don't think about where the information is being stored, so it's entirely possible they could lock their TOTP behind a login secured by their TOTP. It's the same thing with password managers. Don't put either your password manager login, nor your recovery email account into your password manager. Secure both with something else that doesn't require a either to work. Hardware keys are a good option. I have a few FIDO keys now. I bought the Google Titan key and used it to lock down both my email and password manager. Both my email and password manager have complex, memorable, and most importantly, long, password phrases. Everything else is on my password manager and either secured by it's TOTP, or, if available, one of my security keys. The Titan is good because when you buy it, you get two. One USB/NFC, and one keyfob style that is USB and Bluetooth. I've added a FIDO2 yubikey 5 for my work accounts and bluntly, I sleep very well knowing my online life is safe.

The only reason I don't concern myself about my bank is the long and complex password I use, coupled with the fact that anyone breaking into my accounts will not get anything but sadness from the experience. I know that's always my reaction looking at my balance.