[Linux-aus] Security conferences (was: LUGs)
Adam Nielsen
a.nielsen at shikadi.net
Sat Jul 8 12:25:39 AEST 2023
> MFA works locally and people run into problems when they travel using
> cheaper local cards. Anyone with serious access should use two
> telephone and reserve one for the calls back to the office.
>
> If you use your telephone number, lose your telephone, then try to
> get a new telephone with the same number, you can end up in an
> authentication loop. One friend hit that road block recently.
Using a phone number for MFA (e.g. with SMS) is considered a very
poor practice and is not secure at all. There have been a number of
cases of employees at phone companies around the world being tricked or
bribed into porting a number across to a scammer's SIM, allowing the
scammer to receive SMS texts sent to a target's phone number. I
believe it's also possible to clone a SIM which although more of a
technical challenge, can also allow an attacker to take over someone's
phone number and negate the benefits of MFA. This has been happening
for a long time now, such as this incident from 2018:
https://www.abc.net.au/everyday/protecting-yourself-from-phone-porting-and-sim-card-scams/100421586
This is another thing that has been raised for many years at security
conferences but too many companies and even banks still insist on using
SMS for MFA, giving only the illusion of security, although some are now
understanding the risks and moving to custom phone apps instead.
This is why the best MFA methods do not require third party services,
as it's one less avenue that can be compromised. A common and popular
implementation is Time-based One-Time Passwords (TOTP) which use a
shared secret and the current time to generate unique passwords (see
https://en.wikipedia.org/wiki/Time-based_one-time_password).
As these work entirely offline, they are not susceptible to any of the
attacks that SMS texts are, they are safe to use in countries where
Internet access is monitored and restricted or phone service is
unreliable, and you can copy the secret to multiple devices so for
example if you lose your phone, you can still generate the passwords on
a laptop to make it easy to update all the underlying secrets (so by
the time anyone extracts them from your lost phone they are no longer
useful).
Google Authenticator is one Android app that supports TOTP but there are
many others, and the secrets are generally compatible between them all
thanks to the RFC standards. Personally I use the open source oathtool
to generate the passwords on my Linux machines, and I use them for many
online services - GitHub, Google, Amazon AWS, etc.
> CACert was a great idea. I hoped that would lead to key
> authentication for Facebook and everything instead of just the Musk
> Blue Tick.
The problem with certificate authentication is that nobody figured out
a good way to make it work for end users. It was too complicated for
the average person to understand. Even just getting your certificate
off a laptop onto a phone without compromising it (e.g. by e-mailing it
to yourself) is still a challenge today.
Perhaps WebAuthn and passkeys will be the answer:
https://arstechnica.com/information-technology/2023/05/passwordless-google-accounts-are-easier-and-more-secure-than-passwords-heres-why/
Cheers,
Adam.
More information about the linux-aus
mailing list