Every security person will tell you that you need two-factor authentication (2FA), and we agree. The end of the article? no. The devil, as always with security, is in the details. Case in point: In the past few weeks, Google has bugged its Google Authenticator app. The security community has been crying out loud, and while it’s not over yet, it looks like Google is on its way to fixing the problem.
With 2FA authentication becoming a part of all of our lives—or at least it should be—let’s take a quick look at how it works, the many challenges of properly implementing 2FA, what happened with Google Authenticator, and what your options are for staying safe online.
You probably know or use Google Authenticator, Microsoft Authenticator, or an app like Authy. What all these authentication apps have in common is the creation of a time-based six-digit number, given a secret key. Maybe you scan this secret key in your phone in the form of a QR code? If any of the above sounds familiar, I used a time-based one-time password (TOTP).
under the cover
What happens under the hood with TOTP is no secret, and in fact you can do it yourself in a few lines of Python if you wish. Basically, you take the secret key, split it with a timestamp, and pull six digits from the result. The server you’re authenticating to also has the secret key and the clock, does the same math, and if they match, it knows it’s you!
This is a great system because a new six-digit “password” is renewed every 30 seconds or so, making it impossible to guess before it expires. Using a one-way secret hash and time guarantees that even if an attacker is listening, they won’t be able to generate the next key, or discover your secret key from interceptions. And even if you get tricked into typing the six-digit TOTP into a bad website, it’s a one-time password, so the damage is limited to a single login. (Of course, if they can wipe your bank account in that login…)
The primary secret key in TOTP is longer and more random than any human-chosen password, and if you’re like most people you’ve never seen – it’s in that QR code you scanned. So your TOTP secret key is a good password, and it’s only stored in two places: your phone and the server you’re authenticating to. Therein lies the problem. What happens when you lose your cell phone?
Most authenticator apps have a way to back up the secret key to another device. The most common is to generate a QR code with your secret key so that you can only take a picture of phone one with phone number two. This way, only whoever is looking over your shoulder at that exact moment can steal the key. But what if you want to back up the secret in the cloud? This is where Google Authenticator got into trouble.
A secret key is a secret, and in the case of a 2FA token, it’s probably a secret you really care about. What do you usually do when sending or storing secrets? You coded them, right? Guess what google he did not do Do when the secret key is sent between your phone and their server!
How should cloud backup be done properly? It must be end-to-end encrypted. This means that on the first phone, you have to type in another password to encrypt it before sending it to Google. On the second receiving phone, you enter the same password again to decrypt the TOTP secret. In the middle, Google or someone else listening will have to crack the encryption to steal the TOTP secret, and you have the convenience of the cloud.
What might go wrong when an authenticator sends keys in plain text format? For one, you may not want to trust Google with your TOTP secret keys. Of course, if you use Google Authenticator Just To sign in to Google, they already have the secret key. But if you are storing all your TOTP keys
in one basket In one convenient application, Google (or whoever hacks Google) has access to your bank account, too. If the authenticator allows you to encrypt the keys before backing them up, you don’t have to trust Google at all. Or mostly not.
Trust in TOTP
Authentication apps are a strange deal. On the other hand, they provide infrequent login information that helps defeat eavesdroppers. On the other hand, the secret must be used unhashed, both on your phone and on the server that authenticates it. This means that there is no highly secure way to store them on the server side, unlike normal passwords which can be stored salted and hashed. So the integrity of TOTP keys depends on the authentication server not being compromised. Your TOTP keys are more vulnerable to a server database breach than your regular password.
The TOTP key is also stored in a form that can be read on your phone. It’s probably encrypted with some other secret key, but if someone smarts your phone, you’re probably cooked. Worse yet, it means you have to trust the TOTP app. Not surprisingly, there are numerous cases of malware authentication apps simply stealing your TOTP secret.
But you also have to trust the authenticator app to respect your privacy. While in principle a TOTP can be generated without any internet access, and indeed that is what hardware tokens like Yubikey do, most mobile based authentication apps use the phone at home. Among these particularly egregious things, Microsoft Authenticator sends personally identifiable data about you back to Microsoft even before you accept the Terms and Conditions, and does so afterward when you use them. Authy could be even worse, moving websites you’re logged into. (Video link, great explanation.) It’s not clear if the information Google Authenticator sends home uniquely identifies you, but it’s certainly more than is necessary to run the program, which isn’t a thing.
This all sounds pretty bleak to 2FA classifiers. On the other hand, backup can be difficult or difficult to get right. On the other hand, the companies that provide you with the software are spying on you. Should you just give up?
no! Remember that the TOTP system is open and easy to implement, and there are many open source applications that do not violate your privacy. RedHat’s FreeOTP service works on iOS and Android and would be our first choice if we hadn’t fired our choice. Aegis Authenticator is also recommended, but it only works on Android. There must be others, so if you have a favorite, listen up!
#working #authentication #apps #Malware #bugs