← Back to context

Comment by crote

19 days ago

You are supposed to store the password in a Secure Enclave, which you can only query for the current token value. You are also supposed to immediately destroy the QR code after importing it.

As I already mentioned, the fact that people often use it wrong undermines its security, but that doesn't change the intended outcome.

20 comments

crote

Reply
gruez  18 days ago

>You are supposed to store the password in a Secure Enclave,

That's at best a retcon, given given that the RFC was first published in 2008

>You are also supposed to immediately destroy the QR code after importing it.

Most TOTP apps support backups/restores, which defeats this.

  • craftkiller  18 days ago

    > That's at best a retcon, given given that the RFC was first published in 2008

    How so? Apple didn't invent the idea of a secure enclave. Here is a photo of one such device, similar to one I was issued for work back in ~2011: https://webobjects2.cdw.com/is/image/CDW/1732119

    No option to get the secret key out. All you can get out is the final TOTP codes. If anything, having an end-user-programmable "secure enclave" is the only thing that has changed.

    I think they probably meant "Secure Enclave" in the same way that people say "band-aid" instead of "adhesive bandage", "velcro" instead of "hook and loop fastener", and "yubikey" instead of "hardware security token".

  • aja12  18 days ago

    >Most TOTP apps support backups/restores, which defeats this.

    Citation needed? Yubico authenticator doesn't (the secure enclave is the Yubikey). I'd be very surprised if MS Authenticator and Authy (which I don't use but are the most popular apps that I know of) support such backups

    • Rubberducky1324  18 days ago

      > Citation needed? Yubico authenticator doesn't (the secure enclave is the Yubikey). I'd be very surprised if MS Authenticator and Authy (which I don't use but are the most popular apps that I know of) support such backups

      Google Authenticator has an export option that I've used in the past, so that one does it for sure. Authy allows cloud-based synchronization in any case, so exporting seems quite possible. MS Authenticator also allow cloud sync, so probably exporting is not difficult.

      1 reply →

alt227  19 days ago

IMO if it is possible to use a system wrongly which undermines its security, it is already broken.

  • TeMPOraL  18 days ago

    On the contrary - perfect security is only possible if your system is an inert rock. Or not even then, as the users could still use the rock "wrong" by beating security maximalists over their heads with it.

    Also honestly TIL that TOTP are somehow supposed to also enforce a single copy of the backing token being in existence. That's not just bad UX, that feels closer to security overreach.

    People in tech, especially software and security folks, tend to miss the fact that most websites with 2FA already put a heavier security burden on their users than anything else in real life. There's generally no other situation in peoples' lives that would require you to safely store for years a document that cannot be recovered or replaced when destroyed[0]. 2FA backup codes have much stricter security standard than any government ID!

    And then security people are surprised there's so much pushback on passkeys.

    --

    [0] - The problem really manifest when you add lack of any kind of customer support willing to or capable of resolving account access issues.

  • lmz  19 days ago

    This is how we get sites that block software tokens and only allow a whitelist of hardware based tokens.

  • Jean-Papoulos  19 days ago

    I can chuck a brick at your head. Clearly the brick is broken

    • alt227  18 days ago

      Breaks are meant to be built with, not thrown at heads.

      If you build with the brick properly you will have a great wall, if you dont then it will fall down. Pretty simple.

  • dpoloncsak  18 days ago

    Pass-The-Hash attacks exist and the only real countermeasure is to never log into user machines with privileged credentials

    • aja12  17 days ago

      Actually, the real countermeasure to PTH is to disable NTLM auth and rely only on Kerberos (and then monitor NTLM as a very strong indicator that someone or something is attempting PTH)

      Of course kerberos tickets can be abused too in a lot of fun ways, but on a modern network PTH is pretty much dead and a surefire way to raise a lot of alerts

      (You are absolutely right that privileged accounts must never login on less privileged assets, however!)

      1 reply →