Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3488fe08-adae-b5c6-f42b-37616a90824a@bestmx.net>
Date: Sat, 2 Jul 2016 12:41:36 +0200
From: "e@...tmx.net" <e@...tmx.net>
To: passwords@...ts.openwall.com
Subject: 2-Factor vs Authentication

2-Factor "Auth": Something you know + Something you have

(if you prefer HTML formatting, read the
http://ithipster.com/34.html)

Previously (in "What Makes Your Password Yours" and "Auth vs ID") We 
have established that your exclusive and complete control over your 
password makes the password belong to you, and this is the one and only 
characteristic property of a valid password. Now, we are to scrutinize 
the second member of the 2-Factor formula.

Peeking at the final page of the story, the picture above is lying to 
you blatantly and insultingly. It could be true, however, if you are 
using a password plus a custom (sufficiently unique) hardware token, but 
is not the case. The proponents of «2-Factor» call for using your 
telephone as the second «factor», and it requires some clarification, 
what is «your phone» and how is it associated with you.


Do you own «something you have»?


The typical «2F» scheme is the following: the service provider sends a 
one-time password on a previously known phone number; then the user 
inputs this one-time password, as a proof of receiving it — supposedly 
this scheme should establish a fact: the user is in possession of a 
telephone associated with the given phone number. The information core 
of this scheme is the one-time token making its way through a 3rd party 
network to the user and back to the service provider… and it is 
absolutely safe and logically consistent — the trouble is in the phone.

The scheme presumes that since its initiation the given phone number is 
still associated with a phone in your possession and this phone is the 
only recipient of the message. Both assumptions are atrociously stupid 
and deranged from reality. Nevertheless they effectively define your 
«second-factor» token as: «YOUR» PHONE NUMBER. Despite everything you 
may think about «your» phone number it is not yours by any stretch of 
imagination.

Do you have any control of «your» phone number? No you don't. You may 
merely ask your service provider to perform certain (irrelevant to our 
topic) manipulations with «your» number, but can you guarantee the most 
important property of it (required by the 2-Factor) that the number will 
remain assigned to you next minute? NO YOU CAN NOT! The number belongs 
to your service provider and they have complete and exclusive control 
over it (and even that is questionable). Similarly you do not own «your» 
e-mail, «your» domain name, «your» passport number — all those things 
belong to other people whom you do not know even by names!


Your typical second token in the 2-Factor does not belong to you, not 
even slightly.


Well, you may now claim: "but it is only the second! you still need your 
password" and bla-bla-bla ignoring the fact that this argument of yours 
destroys the necessity of this second factor altogether…

My initial intention was to say: just wait a little bit, soon enough it 
will become the first, but the «soon enough» had happened before I 
finished the sentence. The youtuber Boogie2988 was hacked (his youtube 
account was closed and all his works deleted). According to his own 
testimony: Someone has seized my phone number and then using SMS 
«authentication» seized the control over my account.

And keep in mind, the security experts do not give two shits about your 
security, their primary concern is PROFIT, and what is the most 
profitable activity in Computer Science? — Reproducing the mainstream 
bullshit, no matter how harmful and dangerous.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.