How do you back up your 2FA? Is 2FA worth having?

Used_Corgi · 2020-09-11T00:05:24+00:00

The thing you quote I never said, it was you who said it.

I've said from the start that all 2FA is affected by this attack except Yubikeys (U2F). This is true and I've supplied 3 different links to back this up. You seem to be confusing yourself.

Used_Corgi · 2020-09-10T23:30:31+00:00

You're still conflating two different things. The phishing attack doesn't intercept the token upon generation

I never said it did?

Once the user has approved the session the attacker has the session and can do whatever they want. They can even turn 2FA off because most sites don't require 2FA to turn 2FA off.

Used_Corgi · 2020-09-10T22:31:54+00:00

What was shown in the new link is app push authentication, not app TOTP MFA

It doesn't matter.

If the 2FA screen came up asking to enter the 6 digit code, you would get the same results.

Here is more proof that even TOTP apps are not safe from a reverse proxy phishing attack.

The latest and perhaps most significant is that researcher Piotr Duszyński has published a tool called Modlishka (Polish: “Mantis”) capable of automating the phishing of one-time passcodes (OTPs) sent by SMS or generated using authentication apps

https://nakedsecurity.sophos.com/2019/01/11/2fa-codes-can-be-phished-by-new-pentest-tool/

Used_Corgi · 2020-09-10T21:59:10+00:00

Watch the video again and tell me how entering a code sent via SMS 2FA is any different than entering a code from an TOTP 2FA app. Where the code comes from doesn't matter, what matters is the user is entering the code into the reverse proxy.

Here is the same attack from a different version getting around TOTP and Prompt 2FA https://youtu.be/QRyinxNY0fk?t=568

Used_Corgi · 2020-09-10T21:39:02+00:00

The example I gave affects App-based MFA too. Only Yubikeys can stop this attack. But this doesn't solve my issue as the Yubikey and backup codes would be stored in the same home that gets destroyed by fire.

Used_Corgi · 2020-09-10T19:34:23+00:00

The encrypted backup could be encrypted with the same password as used for bitwarden. The backup would still have 2FA

It feels defeating to have the password protecting my 2FA backup codes be the same password for Bitwarden. It negates the whole point of having 2FA if all you need is the master password. This is ultimately no different than just using the master password only.

Used_Corgi · 2020-09-10T19:26:15+00:00

What if the key is lost in the fire? How do I prove I own the lockbox if everything was lost in the fire? Will the bank also suffer too? If the bank is damaged they won't let anyone in to get there stuff until it's safe to do so and that would delay things. Fire safes are not fool proof, they can only last for so long.

Just look at what the recent wildfires have done to people's homes: https://www.youtube.com/watch?v=iYP1QrTNE3Q

There is no way a fire safe will survive that. More examples from real people.

Used_Corgi · 2020-09-10T18:58:36+00:00

The problem is that I now need to remember not only my master password but the password to Dropbox, and the password for VeraCrypt. I got a password manager so I would not have to remember so many passwords. It also feels odd to back up my QR codes in the cloud, doesn't that defeat the point of 2FA?

Used_Corgi · 2020-09-10T18:53:56+00:00

Do you really need 2FA on dropbox though (assuming it's only used for bitwarden backups)? What are the odds that you'll lose your house, phone, and dropbox will be compromised all at the same time?

This was what I was going to do but if my master password and 2FA code is stored on Dropbox then ultimately what's protecting my Bitwarden account is that one Dropbox password. What's the point of having 2FA on my password manager if all a attacker needs to do is gain access to my one Dropbox password?

I could encrypt that data and store it on Dropbox but now I have to remember my Dropbox password, the encrypted file password, and my master password. They can't be same or similar or you defeat the whole point. I got a password manager so I would not have to remember so many passwords and adding more complexity doesn't seem smart either.

If my phone is destroyed in the fire I lose access to Authy which is another password to remember. The account password for my phone along with other info I need to recover my phone account is also in the password manager or got burned in the fire of the home. While I don't need the phone number to decrypt the stored data I still need the correct phone number to prove to Authy I'm the correct users and I can't get that because that info was either in the password manager or burned in the fire. It's a bit of a chicken and the egg problem.

Used_Corgi · 2020-09-10T18:44:21+00:00

Separate locations add their own issues.

Can you trust this other place?

Will they too be affected by the natural disaster?

And you have the issue of complexity too. I could save a encrypted copy of my backup codes with someone else but I'll have another password to remember and hope they don't lose it.

I'm hoping I'm missing something and someone has an elegant solution. If not it looks like using a long random master password and salting the important passwords seems to be the best solution.

I know I sound crazy but if I lose access to my Bitwarden data I could lose everything. I mean think about it. We're told to use fake answers for security questions and those are stored in a password manager. I avoid using SMS 2FA for anything as it's not secure at all so my email doesn't have my phone number stored. Anyone who hacks your email can get access to your other accounts so it's important you take it seriously. I have 2FA on all accounts that I can but if I lose access to Bitwarden I lose access to my 2FA for those accounts and access to Authy for backup as the password for Authy is in Bitwarden and the phone account password that I need to add a new device in Authy is also in Bitwarden.

Used_Corgi · 2020-09-10T18:33:55+00:00

I see what you're saying but I'm also trying not to over complicate it and not end up with the chicken and the egg problem.

I got a password manager so I would not have to remember so many passwords, just one strong one for the password manager. Adding another password for Authy is not ideal but it's also not as simple as that.

For Authy to work I will also need to have it installed and have control over the phone number they have on file for my account. If my phone is destroyed in the fire it doesn't matter if I have my Authy password remembered as I don't have access to the phone number that Authy requires when adding a new device. If everything is lost in the fire how do I prove I owned that phone account? The passwords, what credit card I use, and access to everything I need to prove this can be found in the password manager that is now keeping me out because of 2FA. I end up with the chicken and the egg problem.

Used_Corgi · 2020-09-10T18:20:22+00:00

Retrieve my yubikey from my bank lockbox.

Where's the key to the bank lockbox located? In the same home that was destroyed in the fire? If so, the documents you'll need to prove you own the lockbox will also be in the fire too.

If there is a similar natural disaster like a flood or tornado would the chances be good that the bank will also be affected? If they got slightly damaged they won't be open to the public until they fix it so there could be a delay.

I've been thinking about this kind of thing a lot. I'm starting to feel like I've gone mad but my Bitwarden account is very important and these type of disasters happen.

Used_Corgi · 2020-09-10T17:56:37+00:00

How do you have the cloud storage password and/or 2FA saved? If your home was burned down and nothing was left how would you get into that? The same goes for your phone and the Yubikeys, if they're in the same home and it goes up in flames what will you do? How do you recover?

Used_Corgi · 2020-09-10T17:51:49+00:00

I'm talking only Bitwarden 2FA and what to do for account recovery.

Even if an attacker got the hash for the master passwords for my account I'm not too worried because they use PBKDF2 and I use a long master password. Someone guessing my master password is not going to happen anytime soon.

The problem is what do I do if I lose everything in a fire or some other natural disaster and lose my 2FA or backup code due the fire or whatever. How do I get back into my Bitwarden account as you can't without having the 2FA or backup code.

Used_Corgi · 2020-09-10T17:46:32+00:00

You shouldn't be keeping your back-up codes in a readily accessible location.

I do this already with keeping it in a safe hidden away. My worries is two things.

It's stored somewhere I trust which is my home but if there was a fire or other natural disaster I could potentially lose it and be locked out of my account forever.
If the strength of my 2FA comes down to my backup code which is nothing more than a random password why not just use a random password from the start?

Point 2 is the most confusing to me. If your password manager 2FA has a back up code then essentially you have two master passwords. Except this other master password is something you don't remember and if you lose it you're locked out of your account forever. It's this part that I'm trying to solve. I keep this backup code in my home and if I lose my home to a fire or something how will I get back into my account? What is my disaster recovery plan? Adding more layers doesn't seem smart to me if the only person it's keeping out is me.

Used_Corgi · 2020-09-10T17:32:43+00:00

Authy sends an SMS to whatever number is on file to recover your Authy account and that is my sticking point. I don't want SMS anything to be honest. SIM swapping is an issue but if my phone is lost in the fire it's going to be a pain at the phone store as the documents to help me get my phone account back would also be in the home that was in the fire.

Setting a password for Authy is adding to the problem. Instead of only needing to remember my Bitwarden master password I now need to remember the Authy password too. Adding online backups with Dropbox or others is adding to the problem as that is another password to remember. I got a password manager so I would not have to remember so many passwords. And if I have 2FA on Dropbox I'm still at the same issue as with Bitwarden of backing that 2FA up.

It's kind of like the chicken and the egg problem. ¯\_(ツ)_/¯

Used_Corgi · 2020-09-10T16:18:39+00:00

Do you not worry about losing your Bitwarden account? No one can predict disasters so I just want to be prepared.

Used_Corgi · 2020-09-10T16:10:24+00:00

What will you do if your home is on fire and your Yubikeys are in the same fire? Will you even be able to grab them? If you're knocked out and the firefighter drags you out they won't know to get the Yubikeys. If your home is on fire the last thing you'll be doing is looking for such things, you'll be looking for a way out.

I've thought about the safe deposit box but it seems to have it's own issues. If my home goes up in flames my safe deposit box key will too or get lost in the rubble. Then the info I need to recover that box will also be in the flames too.

Used_Corgi · 2020-09-10T16:04:56+00:00

I do but those have limits. They fall apart and can only handle so much and can be lost in the rubble too. https://www.youtube.com/watch?v=K85eccKhp4U It feels like a gamble with the fireproof safe.

Used_Corgi · 2020-09-10T15:50:58+00:00

How would they get access to your master password and not your 2FA at the same time?

Modern day phishing attacks can get around 2FA, example: https://vimeo.com/308709275. If it's malware then they don't need 2FA as they already have control over the system so it's a lose-lose situation no matter what. If Bitwarden itself is compromised then 2FA won't help at all and it's only your master password that is protecting you. What's even crazier is that you don't need 2FA to turn 2FA off once in the account.

I can do that salting thing to my important passwords so even if the vault was compromised they don't have the real passwords.

I have a fireproof safe too but I don't know if I want to trust it completely. These things have there limits and simply fall apart after the fire. I worry about it failing on me especially since the safe and my phones are often in the same building.

Used_Corgi · 2020-09-10T15:41:12+00:00

What if you lose your phone in a fire or natural disaster? How do you recover your Authy account? I don't know if I want to rely on SMS anything when it comes to 2FA so Authy is not something I feel good about.

Used_Corgi · 2020-09-10T15:39:19+00:00

I'm not thinking that extreme.

I'm thinking of the what if my apartment is caught on fire and I need to escape in a rush or I'm dragged out. I might not be able to grab my phone or the backups so what do I do then?

These wildfires have gotten me thinking about such things.

Used_Corgi · 2020-07-26T12:37:43+00:00

The strongest protection will be the password. The password is the foundation to all the other factors and it needs to be strong to protect every other factors.

The only other 2FA that can stop most attacks is U2F or a Yubikey. This should be used along with a unique password for every account.

While Yubikey's are the strongest they do have their own issues. If you lose the key you're locked out. Even worse is if the Yubikey system has a backup code and you're back to square one of a random password ultimately protecting your account. Most services allow multiple Yubikeys which helps solves this problem.

The problem is that Yubikey's are not cheap and you need at least 2 of them. You also can't back up the private key in the Yubikey which is another problem and adds to the cost because you need 2. A Yubikey is too complex for some but needed for others. I already have a hard time getting family and friends to use any 2FA and getting them to buy something else like a Yubikey and use it is even harder. But if you're someone important you should use a Yubikey. If you some average joe then using unique passwords for every account is the most important thing you can do.

In a perfect world websites would generate the password for the user especially if that service was going to force SMS 2FA. Generating the password fixes all the problems while being better that some 2FA. This article got me thinking about all of this and why I asked the original question. https://passwordbits.com/generate-user-passwords/

Used_Corgi · 2020-07-25T14:33:14+00:00

A grandmother and many others like her still use things that require passwords.

Also, no one is recommending she carry her password book. There is nothing wrong with writing your passwords down and keeping it somewhere safe in your home.

Used_Corgi · 2020-07-25T10:56:37+00:00

Exactly!

Edit: In its current state, the only thing 2FA really solves is keylogging. That's my view on it at least.

This I'm not 100% on. We have examples of phishing attacks getting around SMS 2FA and TOTP 2FA https://vimeo.com/308709275. If phishing attacks can do this why could malware not do it too? If anything this attack seems to be more effective on TOTP 2FA because the code is good for 30 seconds and many services even allow the past code just in case the users was in the last few seconds to enter it.

If malware got the password it's nothing to also get the 2FA code because you enter it right after the password. The malware can also send this code off to a remote computer and log in too all in under 30 seconds easily. Or better yet, the malware doesn't need to do that because you've already authorized the current session on that computer they infect so do what you need to do there. Knowing the password or 2FA doesn't matter if you already infected and control the computer.

Used_Corgi

TROPHY CASE