Tuesday, July 12, 2022

Multi-Factor Authentication Recovery Distrust

Chris Siebenmann (Hacker News):

But both of these situations have some things in common. I can actually talk to real people in both situations, and both have out of band means of identifying me (and communicating with me).

Famously, neither of these is the case with many large third party websites, which often have functionally no customer support and generally no out of band ways of identifying you (at least not ones they trust). If you (I) suffer total loss of all of your means of doing MFA, you are probably completely out of luck. One consequence of this is that you really need to have multiple forms of MFA set up before you make MFA mandatory on your account (better sites will insist on this).

[…]

More broadly, this is a balance of risks issue. I care quite a bit about the availability of my accounts, and I feel that it’s much more likely that I will suffer from MFA issues than it is that I will be targeted and successfully phished for my regular account credentials (or that someone can use ‘account recovery’ to take over the account). If loss of MFA is fatal, my overall risks go way up if I use MFA, although the risk of account compromise goes way down.

It seems like most sites that use two-factory authentication don’t offer recovery codes.

Previously:

1 Comment RSS · Twitter


Ghost Quartz

> More broadly, this is a balance of risks issue. I care quite a bit about the availability of my accounts, and I feel that it’s much more likely that I will suffer from MFA issues than it is that I will be targeted and successfully phished for my regular account credentials (or that someone can use ‘account recovery’ to take over the account). If loss of MFA is fatal, my overall risks go way up if I use MFA, although the risk of account compromise goes way down.

I appreciate their argument, but the problem with account recovery is that it is the same process used for account takeover, and he underestimates the lengths people will go to commandeer accounts for even the dumbest reasons (eg stealing a desirable account handle). And it’s often impossible to opt-out of weak recovery systems; there are many examples of leveraging weak recovery flows on one account to take over another account (SIM swapping to steal SMS codes most notoriously, or the whole Mat Honan debacle from 2012).

> People advise things like multiple hardware tokens, with some of them carefully stored offsite in trusted locations. This significantly (or vastly) raises the complexity of using MFA with these sites.

I don’t think it needs to be this complicated. You can store recovery codes and TOTP seeds in 1Password, or in an encrypted file on any cloud storage service. This narrows the scope of recovery to a single account. You can then store a backup of the secret key granting access to all your other MFA keys in a fire proof safe, with a trusted friend, on a steel "cold-storage wallet", etc.

Leave a Comment