Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Submission + - With Rising Database Breaches, Two-Factor Authentication Also At Risk (hackaday.com)

szczys writes: As the number and frequency of password breaches rises, users are encouraged to use Two-Factor Authentication as an additional safeguard. This protects from an attacker listening in right now, but in many case a database breach will negate the protections of two-factor:

To fake an app-based 2FA query, someone has to know your TOTP password. That’s all, and that’s relatively easy. And in the event that the TOTP-key database gets compromised, the bad hackers will know everyone’s TOTP keys. How did this come to pass? In the old days, there was a physical dongle made by RSA that generated pseudorandom numbers in hardware. The secret key was stored in the dongle’s flash memory, and the device was shipped with it installed. This was pretty plausibly “something you had” even though it was based on a secret number embedded in silicon. (More like “something you don’t know?”) The app authenticators are doing something very similar, even though it’s all on your computer and the secret is stored somewhere on your hard drive or in your cell phone. The ease of finding this secret pushes it across the plausibility border into “something I know”, at least for me.

In the case of a database breach it may be years before the attack is disclosed to the user. During all of that time, if the TOTP keys were included in the breach it is the complexity of the passwords (and the regular changing of passwords) that will protect against a compromised account. In other words, 2FA is an enhancement to password security, but good password practices are far and away still the most important of security protocols. Despite constant warnings on this topic, there's no reason to believe users will start using and regularly changing strong passwords.

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

With Rising Database Breaches, Two-Factor Authentication Also At Risk

Comments Filter:

What the gods would destroy they first submit to an IEEE standards committee.

Working...