I have yet to start using any smartphone two-factor authentication

October 12, 2016

Now that I have a smartphone, in theory I could start using two-factor authentication to improve my security. In practice I have yet to set up my phone for this for anything (although I did download an app for it). There turn out to be several reasons for this.

First, the whole area is fairly confusing and partly populated by people that I don't really trust (hi, Google). Perhaps I am looking in the wrong places, but when I went looking at least the first time around there was a paucity of documentation on what is actually going on in the whole process, how it worked, what to expect, and so on. What I could find was mostly glossy copy and 'then some magic happens'. I'm a sysadmin; I don't like magic.

(The confusing clutter of apps didn't help things either, although I suspect that people who know what they're doing here have an easier time cutting through the marketing copy everyone has.)

Then, well, it's early days with my smartphone and I'm nervous about really committing to it for something as crucial as authentication. Pretty much everything I've read on 2FA contains scary warnings about what happens if your phone evaporates; at the least it's a big hassle. Switching on 2FA this early feels alarmingly like jumping into the deep end. Certainly it doesn't seem like something to do casually or simply as an experiment.

(Probably there's a good way to play around with 2FA to just try it out, but I have no idea what it would be. Scratch accounts on various services? Right now I'd have to commit to 2FA on something just to find out how the apps look and work. I suspect that other people have a background clutter of less important accounts that they can use to experiment with stuff like this.)

Finally is the big, blunt issue for me: I just don't have very many accounts out there (especially on websites) that I both feel strongly about and that I'm willing to make harder to use by adding 2FA authentication. Most of my accounts are casual things, even on big-ticket sites like Facebook, and on potentially somewhat more important sites like Github I'm not very enthused about throwing roadblocks in the way of, say, pushing commits up to my public repos.

(Part of this is that I'm usually not logged in to places. And obviously things would be quite different if I worked with any important Github repos.)

All of this feels vaguely embarrassing, since after all I'm supposed to care about security and I now have this marvelous possibility for completely free two-factor authentication, yet I'm not taking advantage of it. But I've already established that I have limits on how much I care about security.


Comments on this page:

Although some sites generate "backup codes" to use when 2FA is not available, lately I've been scanning the QR code both on my smartphone and a tablet, so one of them can be used in case something bad happens to the other.

The most common (in my experience, at least) way that 2FA is done is via TOTP which isn't very magic at all. Both you and the server know a (shared) secret string of bytes, and the current time. Then math is done, as standardized by RFC 6238. The math is based on HMAC. I can expand more on it if you care, but that's how that works. (There are plenty of varieties of people falling into the trap of making their own cryptography, the biggest name one I think is Auhty's own flavor. It involves their proprietary mobile app receiving an encrypted notification from the push service of Apple/Google.)

The next question about 2FA is then deciding on how to manage those secrets your device has. Backing up secrets in general, then. Which there are numerous ways. (Again, Authy has a solution: they will back up the database of TOTP secrets stored in the app on their cloud servers and sync it back down on your new phone. Ick.)

For the initial crowd of 2FA adopters, it seems that a solution people have relied on is Google's own Authenticator. (It's open source and quite simple.) Back up it's app database using adb, and store that sqlite file somewhere safe and encrypted. Manually restore on new phone.

Or you can remove the phone as a trusted partner in all of this, like I have. I use a Yubikey Neo, so the TOTP secrets are stored within the device in write-only storage. Which doesn't solve the disappearing USB key problem, but I've accepted that.

I've done plenty of research into the whole topic, if you'd care for more. (On both sides! I've implemented it for a variety of login services too.) I can talk about this for hours. :P

KeePassDroid supports TOTP natively, so you can use that as a 2FA store. You can then backup its database, and even open it on your desktop (KeePass needs the tray-otp plugin though)

By James (trs80) at 2016-10-12 06:40:22:

You could set up pam_oath on some of your own machines, and if you break it you just log in as root locally and remove it from the PAM config.

By Brendan Long at 2016-10-12 20:57:58:

Fedora makes Free other, which supports the same protocol as everyone else (FOTP). I use it because I didn't want to use a proprietary app for this, and I didn't realize Google Authenticatof was open source.

I handle the backup case by storing screenshots of the QR codes on an encrypted flash drive..

By Brendan Long at 2016-10-12 20:59:02:

My autocorrect messed that up. I mean Fedora makes an app called FreeOTP which supports the relevant standards.

Written on 12 October 2016.
« How and why the new iptables -w option is such a terrible fumble
How I've set up SSH keys on my Yubikey 4 (so far) »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Oct 12 02:25:04 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.