• cooopsspace@infosec.pub
    link
    fedilink
    English
    arrow-up
    167
    ·
    edit-2
    8 months ago

    SMS: Here is your 30s “MFA” code, I’ll send it to you 40 minutes after you need it.

    SMS isn’t 2FA. Its 1.5FA.

    • KairuByte@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      91
      arrow-down
      1
      ·
      8 months ago

      SMS isn’t even secure. Mitm, social engineering, straight up theft, and more are all ways around it. It should never have been implemented, but especially not when totp exists.

      • Opisek@lemmy.world
        link
        fedilink
        English
        arrow-up
        50
        ·
        8 months ago

        What I despise most in when SMS is not just optional but forced upon me as “backup” to TOTP. “Lost your authenticator app? Send an SMS instead.” How about no?

        • KairuByte@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          10
          ·
          8 months ago

          I don’t believe I’ve run into that, but yeah it completely misses the point of totp. Hell, I’d prefer a lockout over SMS backup in most cases, my totp authentication has multiple encrypted backups.

        • lorkano@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          ·
          8 months ago

          Especially because you can just backup authenticator to the pendrive in encrypted form. I don’t care I loose my phone, that’s exactly the reason authenticator is better.

    • JasonDJ@lemmy.zip
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      1
      ·
      edit-2
      8 months ago

      Dude.

      My wife’s phone started acting up the other day. It would keep losing cell service and even when it showed a signal, it still would only work on wifi.

      That happened a few hours after I ported my phone number (on the same family plan) to another carrier. So naturally, I thought the issue was with the carrier.

      Since I planned on porting her number out to my new carrier anyway, I didn’t want to troubleshoot.

      Well, get to the new carrier and it’s still not working. Go through the whole process of resetting network settings, and then eventually deleting the esim.

      New carrier, though, needs you to receive a text message before they send the esim.

      Naturally, with the esim deleted, it couldn’t receive text messages.

      Her issue did end up being her phone. Even after the port went through in full, it was still hit-or-miss with cell service. Worked on wifi though.

    • datelmd5sum@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      2
      ·
      8 months ago

      I’ve heard people in the US still use SMS to communicate with eachother. Fucking crazy.

      • Crashumbc@lemmy.world
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        1
        ·
        edit-2
        8 months ago

        Inertia and ease of use are powerful.

        SMS “just works” and works for everyone here.

        While I would like the new fancy features. At least RCS is bringing some and is seamlessly integrated.

        Bonus I have 10+ years of txt history and can scroll/search to find something. And since my phone is Google (I know evil) I can access it all from the desktop seamlessly in one window.

      • Swedneck@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        8
        ·
        8 months ago

        uhhh that’s not some unique american thing lol, that’s how people here in sweden communicate too

        Barely anyone cares what specific protocol is being used, they just care about what app they have to use and who they can reach, and if anyone isn’t using a normal sms app they’re generally using facebook messenger or imessages both of which support sms fallback and thus their users don’t even know there’s a difference half the time.

        • datelmd5sum@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          4
          ·
          8 months ago

          Can you for example send a video, encrypted and to your computer via SMS? I don’t know how much tech they’ve built over the protocol over in the US, but in many parts of the world SMS was charged per message in your phone bill and things like photos or video cost more to send. People abandoned SMS quickly when 3rd party IP messaging apps like whatsapp came out.

          • rickyrigatoni@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            2
            ·
            8 months ago

            i think most people have unlimited texting and data in america, the greatest country.

            • datelmd5sum@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              8 months ago

              Yeah data got unlimited here before texts, which caused people to move on to other things. Now texts are usually unlimited, but that train has already sailed.

      • jnk@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        8 months ago

        Blame apple for that. IPhone has this proprietary messaging app pre-installed which is probably super convinient for the ecosystem but uses some obsolete SMS protocol to communicate with android phones. I think recently this has gotten better, but only because beeper and the EU pressing on them

    • MeanEYE@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      17
      ·
      8 months ago

      SMS is good enough. Sure it’s not as authenticator or some other MFA method, but it’s good enough. Chances of my random account hiding something worth subverting cell operator to get the SMS and my password, are slim to none. At that point don’t upload anything worth that much.

      • cooopsspace@infosec.pub
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        8 months ago

        It’s overwhelmingly whatever provider they use for SMS, or some sort of anti spam checking.

        My phone has reception the whole time.

    • wreckedcarzz@lemmy.world
      link
      fedilink
      English
      arrow-up
      40
      ·
      edit-2
      8 months ago

      Or email OFA. Burger King, Popeyes (I know they are the same company), and just a bit ago, BuyMeACoffee. They let you enter a password; fuck if I know what their requirements are. No tooltip, no failure text. 60 char with special chars? Nope. (a few moments later) 20 chars with no special chars? Nope. Fuck it, let’s try 2FA. Get seed, generate code, go to setup verification page (on phone), first box, paste. ONLY THE FIRST NUMBER PASTES AND MY KEYBOARD CLOSES. SCREAMS

      (only factor authentication)

      • drolex@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        1
        ·
        8 months ago

        Nothing compared to BOFA, which is arguably even worse and a lot more stupid

        • grue@lemmy.world
          link
          fedilink
          English
          arrow-up
          28
          ·
          8 months ago

          For those who don’t know, the BofA app clears the username and password fields every time you switch to a different app, completely thwarting the use of password managers because Bank of America is apparently Hell-bent on forcing everyone to have easily-typed (and therefore easily-brute-forced) passwords.

          • Natanael@slrpnk.net
            link
            fedilink
            English
            arrow-up
            9
            ·
            edit-2
            8 months ago

            Android has password managers with keyboard app integration so you can paste both fields from the keyboard itself

            I use Keepass2Android and it’s own keyboard app for this. I switch active keyboard app when the login field shows up to paste and then switch back to my normal keyboard after

      • viking@infosec.pub
        link
        fedilink
        English
        arrow-up
        4
        ·
        8 months ago

        My bank has its own authenticator app, which doesn’t work on my phone. Piece of crap. They now enabled fingerprint login without additional 2FA somehow, and I can also authorise payments with biometrics. Only to change my limits, update address etc. I have to use the app (on an old Pixel 3a as a standby device just for this purpose).

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          8 months ago

          I would change banks. Stuff like this is a reminder why letting government run such services is a bad idea. (I’m sure your bank isn’t state owned but still)

          • viking@infosec.pub
            link
            fedilink
            English
            arrow-up
            4
            ·
            8 months ago

            I can’t, live abroad and no bank I contacted would open accounts for non-residents.

            I have other accounts where I live, but all my investments and major holdings are sent back home.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          8 months ago

          For one that requires more training and support. However I think the biggest reason is that it is predictable and requires access to the device. You also can’t steal a phone number as easily as stealing poorly secured keys

          • KairuByte@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            5
            ·
            8 months ago

            Poorly secured keys usually still require device access, unless they are secured so poorly that the individual would be compromised in one of many other ways regardless.

            Stealing a phone number requires, at most, paying off an employee at a telco company. At best it just requires a call and some social engineering. And don’t forget, people who leave their phone laying around without a passcode exist.

            Now, neither of these are really options for a dragnet approach, they’d need to be targeted. But the fact that one can be done fully remote should be a red flag.

            • areyouevenreal@lemm.ee
              link
              fedilink
              English
              arrow-up
              0
              ·
              8 months ago

              The issue being what do you do when your phone gets stolen? You can get a new SIM with the same number easily. What’s the solution for TOTP?

              • KairuByte@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                1
                ·
                8 months ago

                You’re misunderstanding. Totp apps require authentication to use them, be it a password or bio-authentication. SMS does not, it just requires the phone number.

                You can get the phone number through any number of ways, but it can be done remotely meaning no one ever interacts with you or your phone. Through various methods, they have your phone number transferred to a different phone, and then have the SMS sent directly to them.

                Totp apps (typically) have a backup system in place. 1password as an example, uses their servers to host the data. But you can also back that up. The chances of someone gaining unauthorized access to your Totp account comes down to your security, and which service is chosen. 1password again as an example, is fully encrypted, they can’t see your passwords, if you forget your security token, the only solution is to wipe the entire password store and start again.

                The difference in security is mountainous. It’s the difference between a single family home, and a bank vault.

                • areyouevenreal@lemm.ee
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  7 months ago

                  Yes and muggers ask you for your phone pin. Ask me how I know. I am guessing this is why you need a separate password when using 2FA

                  I see now that there is a backup in place for losing a phone. That’s primarily what I was concerned about.

  • Limonene@lemmy.world
    link
    fedilink
    English
    arrow-up
    74
    arrow-down
    14
    ·
    8 months ago

    I agree with this sentiment. Steam notably falls into the third category, while otherwise being pretty good.

    But I’m quite disgusted now seeing an image of a Yubikey for the first time. I’ve heard so many good things about them that it’s a major disappointment to see now that they use that awful noncomplaint shape of USB plug.

    There are two very important reasons for the metal shield around USB plugs: 1. For ESD protection, and 2. to hold the receptacle’s tongue in place and prevent it from bending away and losing contact. Every USB device I’ve owned that was a flat plug (like this Yubikey image in this post) has within a month deformed the USB receptacle it’s plugged into to the point that the device no longer works in that port. Compliant USB devices still work in that port’s deformed receptacle, because they have a correct metal shield that bends the tongue back into the correct position.

    • bus_factor@lemmy.world
      link
      fedilink
      English
      arrow-up
      44
      ·
      8 months ago

      YubiKeys have almost every imaginable form factor these days. Here’s the USB-C version without NFC:

      YubiKey 5C

    • Nyfure@kbin.social
      link
      fedilink
      arrow-up
      31
      ·
      8 months ago

      No problems with yubikeys or the receptacle they are plugged into yet… no idea what you do while these sticks are plugged in… doesnt seem like a major concern per the reviews

    • 018118055@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      22
      ·
      edit-2
      8 months ago

      I’ve had my ubikey fido2 token knocking around on my keychain for about 7 years now. Scratched and beaten, works perfectly and never had a port damaged, it doesn’t put enough pressure on it.

    • anyhow2503@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      ·
      8 months ago

      It is kind of annoying that Steam doesn’t enable the usage of third-party OTP apps. To be fair, when they first implemented the feature, that wasn’t widely used and plenty of websites only enabled the use of one specific OTP app like Authy or Google Authenticator. They recently added a QR code login feature, which makes sense, but that still shouldn’t stop them from enabling MFA via third party OTP apps.

      • 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        6
        ·
        8 months ago

        Some third party apps allow you to import your Steam OTP, such as Gnome Authenticator

        However to obtain it in the first place you need to either use SteamDesktopAuthenticator (GitHub), an android emulator on your PC, or a rooted device to export your key…

        • subtext@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          8 months ago

          It also breaks your ability to do some actions with steam such as changing your email address because god forbid you enter the TOTP instead of pressing accept or something in the app

          This is currently me, wanting to update my email but not wanting to go through the hassle of changing my authenticator back to my steam app then re exporting the key to put it back in Bitwarden.

          So frustrating that they have to be ✨special✨ with their authenticator algorithm AND ALSO require the app for people who have reverse engineered it.

    • voxel@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      12
      ·
      8 months ago

      iirc it’s possible to somehow export the secret key used by steams 2fa

      • KairuByte@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        8 months ago

        It absolutely is, the issue is that most mfa apps spit out 6 character outputs, while Steam requires 5. They’d need to implement the alternative algorithm, but 1password for instance flat out refuses since it’s non standard.

    • cafeinux@infosec.pub
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      8 months ago

      It is actually possible to use Aegis for Steam, that’s what I do. It’s a pain to setup if you’re not rooted (I think you need to use an Android emulator on a computer and then export the Aegis DB to reimport it on your mobile IIRC) but it’s possible. Look at https://github.com/beemdevelopment/Aegis/wiki/Adding-Steam-to-Aegis-from-Steam-Desktop-Authenticator Steam is still very welcome to go fuck themselves with their shitty app, though.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      5
      ·
      8 months ago

      I think the good people at yubikey want to provide people with every possible form factor, for whatever is convenient for them.

      If your organization issued you a yubikey, but you don’t like the form factor, I’m sure you could purchase your own and have them add it instead.

      You can also use a USB extension cable, to add a bunch of flexibility between your yubi key and your computer, especially if you leave it always attached. That would remove the lever problem you mentioned

  • gedaliyah@lemmy.world
    link
    fedilink
    English
    arrow-up
    30
    ·
    8 months ago

    Uuuuugh. I just had this problem after dropping my phone. Can’t log into the phone without the phone being logged in. Solution: disable 2fa on a logged in device. If I can disable it from another device why can’t I verify it from another device? This is so broken!

  • KillingTimeItself@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    28
    ·
    8 months ago

    my favorite instance of google MFA was when i went to log into my google account for some reason. Google hit me with the MFA, cool whatever, i’ll MFA, google does the usual “heres how we do it because we give you no options because fuck you” and im like, cool, ok just gotta wait for this to work.

    And then it proceeds to not work, at all. Thanks google, very cool. Fortunately, i had a secondary auth app setup so i used that, and it worked, weird how that works huh? BTW, it wasn’t sms, it’s googles integrated android MFA service, which as far as i can tell, is literally a fucking requirement to using MFA.

    Also, i remembered again, that logging into my google account, automatically logs me into every google account i have. Yknow, because security. Anybody know how to disable that one btw? Google seems to be an endless labyrinth of options everytime i try and do something with it so.

    • intensely_human@lemm.ee
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      8 months ago

      logging into one google account does not log me into all my google accounts, as far as I know

  • Thrydwulf@lemmy.today
    link
    fedilink
    English
    arrow-up
    28
    arrow-down
    6
    ·
    8 months ago

    Wait, can you eli5 why multifactor authentication (MFA) (and maybe also 2-factor authentication apps) is “fuck off” levels?

    Is it privacy concerns or something bigger like more points of failure for overall security? Or smaller like not every one has/wants a smart phone?

    • FrostyPolicy@suppo.fi
      link
      fedilink
      English
      arrow-up
      108
      ·
      8 months ago

      If I read it correctly the “fuck off” level refers to some proprietary app for the selected login. The other two are standard code app and yubikey.

      • the_weez@midwest.social
        link
        fedilink
        English
        arrow-up
        67
        arrow-down
        2
        ·
        8 months ago

        This is also how I read the meme. Codes are fine, tokens are fine. Your proprietary spyware app is NOT fine (Microsoft) and I hope you get fucked.

        • ilinamorato@lemmy.world
          link
          fedilink
          English
          arrow-up
          31
          arrow-down
          1
          ·
          8 months ago

          Microsoft login works just fine with any TOTP app, like Aegis. They just heavily push you toward their app.

          • mvmike@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            Depends on how it’s configured by the company. I’ve faced in the past the situation of having to login with the company email to be able to use the MFA with a propietary app, which meant I needed to enroll into the BYOD policy and it includes remote device management.

            Ended up installing an emulator in the work laptop just for that purpose and left the company shortly after.

        • Eager Eagle@lemmy.world
          link
          fedilink
          English
          arrow-up
          12
          arrow-down
          1
          ·
          8 months ago

          MS is fine, your average bank or broker institution though… when it’s not SMS, chances are it’s an “in-house” solution

          • mark3748@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            8 months ago

            They offer other options for Microsoft accounts. Using it as a normal TOTP app is the same as any other Authenticator app.

            It’s most likely the number matching requirement that the other person doesn’t like, or their employer has a policy that’s annoying.

            • viking@infosec.pub
              link
              fedilink
              English
              arrow-up
              2
              ·
              8 months ago

              Not the OP, but I have to use the stupid Microsoft authenticator for work, and half the time it’s hibernated and doesn’t wake up when prompted, and when I manually open the “verify login” tab, it spits out an OTP but doesn’t recheck for that 2 digit number number I have to enter.

              And the login prompt on Windows doesn’t have a “resend” button, I can merely click “I don’t have access to the authenticator app”, and then it offers me the option to… Enter a manual code (courtesy of the authenticator app) or use the authenticator app. Dumb as fuck.

              If then I opt for the authenticator app instead of the override code, there’s a ~30% chance the app will not accept the new number because it’s still expecting the former one, if you’re too quick to enter it.

              Piece of garbage.

        • MystikIncarnate@lemmy.ca
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          Yeah, I’ve seen that prompt at least 50 times by now. There’s almost always a button to use a different authenticator app, which shifts the code to be TOTP compliant.

          I don’t think I’ve ever seen that button not be there.

          To be fair, the MS authenticator app is also useful as a totp app, so it’s not all bad. I mean, I don’t use it, but it’s not all bad.

          If your company (assuming this is for ms365) can also enable FIDO2, so yubikeys are also possible, but they’re not enabled by default, so your 365 admin needs to go press a button to allow that for you. MS even supports passkey for passwordless login. But again, not enabled by default. Fun fact: Windows 10/11 also support all of this but if you’re on an active directory domain… You guessed it, it’s not enabled by default.

          To their credit, Microsoft has made some pretty significant strides in account security in recent years. It’s pretty impressive; though requiring a TPM for desktop Windows (especially the “home” versions) still makes me raise an eyebrow. Overall it should help with security… But a hard requirement? Okay Microsoft. If you say so.

    • Bezier@suppo.fi
      link
      fedilink
      English
      arrow-up
      20
      ·
      8 months ago

      I already have an authenticator app. If some service wants to force me to install their own app for their login, they are indeed welcome to fuck off.

    • cley_faye@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      8 months ago

      Standard authenticator (software or hardware) are, well, standard. You can pick anything compliant and use it with any compliant service. Requiring a specific app means that you have to install yet another app, which may or may not be well made, and may or may not snoop on you, and usually will only work with one service, assuming you have a compatible device to run it to begin with.

      It’s more than an inconvenience; not insurmountable, but way more work than just having a standard thing that works perfectly well and is based on known and proven algorithms.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        6
        ·
        8 months ago

        Don’t forget the dark pattern, where they need to allow push notifications to get two factor to work, but those same push notifications are now used to badger the user and create more advertisement touch points

    • MystikIncarnate@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      I can try:

      You see, a lot of really smart people worked very hard to make standardized multifactor authentication so different companies can make products that work with the MFA on different sites and services.

      The standardized versions are very cross compatible and very very secure.

      Some dumb dumbs want to be different and make you install some application on your smartphone so that you can do the exact same thing but only for their site/service. This is widely considered a bad idea, and it makes people sad. Having to install yet another app, just so you can do something that could, and should be possible with the very good existing technology that’s been created by those very smart people I mentioned before, is stupid, inconvenient, and frustrating for anyone who understands how these things work, and how secure they actually are.

      Since the app that the dumb dumbs made was created by them, for them, and they don’t share how that app functions, it can very justly cause concern with those that enjoy their privacy, since the app could be doing any number of potentially nefarious things. When you compare that with the known and trusted methods of authentication created by the smart people, it’s understandable that people would not appreciate having to use some proprietary application to do something that’s already able to be done in a safe and predictable way.

      … I think I may have used too many big words. You did ask me to eli5…

  • BluesF@lemmy.world
    link
    fedilink
    English
    arrow-up
    18
    ·
    8 months ago

    At work usually I can login without any input thanks to SSO, but occasionally it will ask for a security check. The default is to press a notification in outlook on my work phone, which I only ever use when travelling, so it’s invariably off… 🙄

  • AngryCommieKender@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    ·
    8 months ago

    My brain needs to boot faster. Took me far too long to figure out that wasn’t Mother Fucking Authentication, and was instead more likely Multi-Factor

  • 🍔🍔🍔@toast.ooo
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    2
    ·
    8 months ago

    im definitely an idiot but i couldn’t figure out at all how to make a yubikey work with a keepass database on android

    • 2xsaiko@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      3
      ·
      8 months ago

      Yubikey is only really useful for authentication with a trusted party, and not decryption. You can technically use store a secret key on it but then its two biggest advantages are gone, namely that you can’t copy the key and that it doesn’t use the limited storage on the device.

      • cley_faye@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        8 months ago

        The yubikey can perform a hmac using a secret (supposedly) only available to the key’s internals. This is used in addition to the password, so that knowledge of the password without the key, or the key without knowledge of the password, can’t be used to decrypt the database. It’s kind of a half second factor (I know it’s not technically correct to call it that, but I hope you get the idea).

        It’s also in their doc (that they use challenge/response): https://keepassxc.org/docs/ and is even featured on yubico’s website, which is somewhat weird but why not: https://www.yubico.com/works-with-yubikey/catalog/keepassxc/#tech-specs

        The issue GP had is probably that the keepass app does not support it on Android.

        • 2xsaiko@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          4
          ·
          8 months ago

          You can absolutely copy the key, because the device has to give it up to the application during decryption. Or does the application send the encrypted file to the yubikey for it to decrypt it? In which case, that’s a lot better and I’m wrong.

          • tux7350@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            8 months ago

            You use a GPG key that you then add to the yubikey. The keys can only be written or deleted off the yubikey, you can’t read the secret once written. Then you can use the GPG key to either encrypt a file or sign it. Check out Pretty Good Privacy and the GnuPrivacy Guard software for more information on how that works.

            I use my yubikey to encrypt files, sign my work in Git, as well as the usual password authenticator stuff. You can still use FIDO, U2F and OTP codes while using the GPG too.

            Check out this awesome guide on how to setup an airgapped computer to generate the GPG key. https://github.com/drduh/YubiKey-Guide

          • Natanael@slrpnk.net
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            8 months ago

            You’re talking past each other, some Yubikeys have PGP apples for asymmetric encryption (public / private keypairs), and HMAC is a symmetric single key algorithm where the yubikey sends a resulting value to the PC/phone which is part of the key derivation inputs (even though the yubikey’s root key remains secret).

          • miss phant@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            Excuse my surface knowledge on this but when setting up TOTP on Yubikey you can choose to only get an OTP on touch which would be pointless if the application had access to the secret at any point. Based on that it’s probably not possible to copy it.

      • 🍔🍔🍔@toast.ooo
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        i use keepass to store all my passwords, the database file gets synced across my devices through Dropbox, i open it with a master password, i would like to improve this by also requiring the yubikey

        i am kind of confused too as to what exactly the yubikey does in this scenario. my vague understanding is that it was somehow synchronized such that the yubikey would generate sequential random ‘passwords’ which would be checked against the database file (generating its own sequence in the same manner).

        i think it stopped working due to some desynchronization between the yubikey and the database file.

        • MystikIncarnate@lemmy.ca
          link
          fedilink
          English
          arrow-up
          0
          ·
          8 months ago

          Sync shouldn’t really matter, unless you’re using a hotp code as opposed to a certificate or TOTP code.

          TOTP being temporal, is based on UNIX time, and a seed key. A certificate will be challenged, which will require a challenge and reply all cryptographically encrypted. It’s not something that’s necessarily stored in some kind of sync, or rolling codes.

          I’m not familiar enough with keepass to say what it’s supposed to use with the yubikey in order to work. There’s a few other methods that I’m sure that keepass could leverage to perform the authentication, so I’m not entirely sure what could be the problem.

          • 🍔🍔🍔@toast.ooo
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            okay, i appreciate you taking the time to write a response, i have no idea what you’re saying though. maybe im wrong about why it didn’t work.

    • Kairos@lemmy.today
      link
      fedilink
      English
      arrow-up
      35
      arrow-down
      1
      ·
      edit-2
      8 months ago

      No they fucking won’t. You know that websites are going to be massive throbbing cocks about it.

      “Due to security issues, passkeys for our service must be kept in <Company name>® Secure Passkey App™. Please install the app on your device to continue. This app requires Apple Notification or Google Play services to operate. Must have verified phone number to use.”

        • 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          1
          ·
          8 months ago

          Unironically this…

          Passkeys don’t work on my rooted device - they seemingly set up correctly, but sites like GH claim your device passkey doesn’t exist when you try to actually login. When you go to the affected site’s account settings to add the device as a passkey again, an error of some kind claims the passkey already exists 🤷‍♂️

          Deleting/re-adding has no effect. Using FF with device biometric passkey auth

          • ChickenBoo@lemmy.jnks.xyz
            link
            fedilink
            English
            arrow-up
            4
            ·
            8 months ago

            I have to do anything passkey based on chrome on Android. No clue why. Had to recover my PSN account like 4 times before I figured out it was a Firefox problem.

      • Suzune@ani.social
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        8 months ago

        Passkeys are an open standard. You need to install a Webauthn-compliant supplicant that talks to the browser. The supplicant can be anything, as long as it does the required protocol. The browser doesn’t care.

        At the moment the browsers are the main problem. They need to open their APIs properly.

        • jet@hackertalks.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          Counter example Symantics TOTP. https://vip.symantec.com/

          They work with companies to integrate TOTP into their system, but it’s a bastardized version of the open standard. You cannot use standard TOTP software with the Symantic integration.

          They want you to use their proprietary app on your phone.

          You can however, take symantics crazy code, go through a converter, and then use a standard TOTP app.

          But this is a great example of enshitification of an open standard.

        • jj4211@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          Problem is part of the standard allows the server to require attestation. So congratulations, they only bless their app, or maybe they only bless iphones.

          If the service ignores that, then yes, it’s great. It’s as yet unpopular so it’s hard to know, but in adjacent industries I have seen them lock down the to the point it’s as asinine as “open your app to continue”

        • SuperIce@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          8 months ago

          Not necessarily. I found out that bitwarden can generate a QR code that you just scan with your phone that allows your phone to act as a passkey, no browser support required. I was surprised when I discovered that. I had set up my phone as a passkey in Windows, and Windows can use phones as a passkey directly; on Linux that’s not supported so it just gave me a QR code that worked seamlessly. It’s not like a browser URL, but actually triggers the phone’s passkey authentication, kinda like QR codes for WiFi authentication. Pretty neat.

  • Hotzilla@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    12
    arrow-down
    21
    ·
    edit-2
    8 months ago

    Sorry, as IT person I have to disagree, app based MFA is just way much easier to maintain instead of HW keys.

    Edit: forgot to mention that in Finland companies here has to provide phone if your work require that. In IT I don’t want nothing to do with users personal devices, and it sounds insane to me that in US companies force apps to your personal devices.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      8 months ago

      I’ve had this argument with different people when asking for a hardware token vs app only two factor.

      I’m not installing a proprietary app on my personal device. I’ll use a open standard, I’ll use a light weight hardware token. I’m not going to run a invasive binary black box for push authentication 24/7 on my personal device.

      At this point everyone has extra phones that don’t get security updates. I just used a old phone installed the app on that phone, and left it in my desk… It’s kind of a terrible security dongle at this point.

      • Hotzilla@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        8 months ago

        Has to be company phone of course. In IT I don’t want nothing to do with your personal device.

        Here in Finland it is normal (or even required) that company provides you phone and subscription if your work needs that.

      • bus_factor@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        1
        ·
        8 months ago

        They’re talking about operationally. They don’t want to configure and distribute a bajillion dongles to users.

      • HeavyDogFeet@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        8 months ago

        Often times, yes. I don’t want to always have to have a USB key on me, but I always have access to MFA apps via my phone, watch, or laptop. I have no idea why you’re typing the code out instead of copying and pasting.

      • derpgon@programming.dev
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        5
        ·
        8 months ago

        Open an app, find the one number for your specific app among the bajillion you have, oh the timer is almost out and you forgot halfway through, tap back in the app, oh the fucking app scroll all the way to the top again.

        • Fish [Indiana]@midwest.social
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          3
          ·
          8 months ago

          Open app via sidebar, search for website in search box, enter number once because I’m not super fucking slow at typing

      • daq@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        Pretty sure he’s talking about mfa that just asks for confirmation whether that’s you logging in on the phone. No typing required.

    • MSids@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      2
      ·
      8 months ago

      App-based TOTP are not phishing resistant and do not require any level of proximity to the login session. The future is more likely passkeys that use device TPMs.