Friday Squid Blogging: Shark vs. Squid
National Geographic has a photo of a 7-foot long shark that fought a giant squid and lived to tell the tale. Or, at least, lived to show off the suction marks on his skin.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
greenup • June 5, 2020 5:50 PM
so, I’ll use this as my starting point for “security story in the news uncovered by Bruce”:
https://www.androidpolice.com/2020/06/03/using-a-2fa-security-key-with-your-google-account-on-ios-is-about-to-get-easier/
Though honestly, I don’t care about ios. What I really care about is trying to secure my own and family’s stuff.
The market seems to be at something of a tipping point, with SOME OF the new stuff offering Real security AND usability, and the old stuff (passwords)being less manageable and cracked/dodgy all the time.
That said, “the new stuff” seems to come in a bunch of flavors, and despite having a fairly good background in security, I am having problems finding what I am looking for in the marketplace, and could use some suggestions, or suggestions on information sources or forums.
The “new stuff” is 2FA… Except the term means too many things– TOTP, HOTP, SMS, U2F, FIDO2, PGP CAC, PIV, and hoards of others, each with their own technology issues, costs, and limitations. (and my fruit-looping bank doesn’t support any of them, except for SMS and doesn’t consistently use that)
My goals are:
Technology factors:
1. MITM. Many of the 2FA technologies are susceptible to Man-In-The-Middle attacks, with increasing sophistication to the level that I might not spot it in action, so what help would there be for my kids or mom? I am particularly talking about HOTP, TOTP, and SMS here, and while I understand that short “Security Codes” are essentially all we have for humans to use over the phone to other humans, (…again, susceptible to MITM) when talking essentially computer-to-computer, both sides should be able to cryptographically verify that there is no man in the middle. (public/private keys, client And server authentication, etc). This stuff (MITM) is only getting better, and there are practically kits for it now; upgrading family security to TOTP today just to discard it in 18 months is not viable. What technologies don’t use these stupid short codes, and why aren’t they labeled better? <—THIS is at the heart of my problem. OTP of almost all kinds are… poor. But the most common “solution”.
Tangentially related to Ease-of-use is Backups; the problem with Great Security is that it can be Very Secure against Yourself too, if you don’t have a backup. Or Two. But, that effectively means that you have to set up all of your backups with each site that you use? What if you want to keep your backup in a secure location; do you have to go drag it out every time you sign up for a new service?
Military-grade security is not necessary. I don’t consider my meager family resources to be a target of foreign governments. Biometrics are more than I think are necessary for normal consumers, and I personally consider fingerprint identification no better than passwords. WAY too easy to duplicate/replicate/steal, with anything you’ve touched (like a shiny phone screen), or a camera, or a knife. (hyperbole again) If the industry wants to do something useful with biometrics, they should do more finger-vein, which doesn’t leave its pattern behind on everything you touch, and can even work without touching germ-laden surfaces.
Frankly, I don’t think a toy yet exists that solves (in a practical way) modern security problems as mentioned above, but I feel like we are getting so close, and yet so far. Securing Lastpass with a non-shortcode second factor would be a great step forward; (though I am a Tiny bit concerned about someone MITMing the javascript delivered from lastpass). Social media accounts can stay on password-based auth forever as far as I’m concerned, particularly if I am able to use a tool to generate sufficiently long and cryptic passwords. The backup thing concerns me too; if I buy a cool $60 GoTrust Idem card with all the bells and whistles, do I have to get a backup to store in a fire-proof location? and retrieve it too often (or forget) to add accounts/synchronize? Do I have to buy 2x of them for each family member (x7), or try to cut costs and use one highly overused backup for everybody;
I really would like to get the critical stuff, like my email, password manager, and bank off to something better; How do I clearly market that “something better” to my colleagues, friends, and the suggestion box at my bank? Is there a general term dividing the short-code 2FA technologies from the others that I am just missing? Does a term for 2-Way-Computational-Authentication need to be invented? 2G2FA? Ugh.
On a totally practical level, can someone who has used a BLE or NFC FIDO2 device give me some feedback on how slow and awkward it is?
Too many questions. I need a good spreadsheet.