[HN Gopher] Current MFA fatigue attack campaign targeting Micros...
___________________________________________________________________
Current MFA fatigue attack campaign targeting Microsoft Office 365
users
Author : WaitWaitWha
Score : 110 points
Date : 2022-02-16 18:17 UTC (4 hours ago)
(HTM) web link (www.gosecure.net)
(TXT) w3m dump (www.gosecure.net)
| codeflo wrote:
| Microsoft's are the only services I use where I regularly have to
| delete all cookies because Teams or something gets stuck in a
| strange redirection loop that doesn't happen in clean browser
| instances. Good times.
|
| I think Microsoft is also responsible for an (at the time a bit
| embarrassing) account breach I suffered. I have no proof, but
| something very weird happened.
|
| Way back when, I think my Skype account was hacked using a
| password that no longer should have existed. This happened some
| time after the forced migration to Microsoft accounts. The new
| password was unique and password manager-generated, and no
| machine of mine was ever compromised -- luckily.
|
| However, my old Skype password had been embarrassingly weak
| (different times), and I had only upgraded everything to strong
| passwords a short time before that. I remember that there was no
| user-visible way to change the old Skype password or even see the
| account anymore -- I thought it was deleted during the migration.
|
| Yet someone managed to spam all my contacts, some of which got
| very angry with me personally. My best guess is that they had
| accidentally exposed an API backend that still used the old
| account database. Again, I don't really know and can't prove it.
| There were hints in forums of other users with that problem, but
| never any official answer.
|
| My actual point is, Microsoft isn't that great at all of this.
| Whenever they buy something and force migrate all accounts, the
| user experience gets worse.
|
| I have no idea why so many enterprise IT departments have such a
| strong preference for their stuff. It's not like any of it is
| particularly easy to set up.
| robertlagrant wrote:
| I think there is a genuine affinity for GUIs in a lot of IT
| departments. If there's no GUI then it's completely alien.
|
| Others - like me - get worried when there _are_ GUIs. So OS
| manufacturers can 't win!
| olliej wrote:
| This is why "do you want to allow browser to do X" dialogs are
| not a good security model for the myriad features people keep
| trying to get added to the browser.
|
| Dialog fatigue is a well known issue, and has been for decades at
| this point.
| djhaskin987 wrote:
| OTP. OTP, OTP, OTP. I could feel in my _bones_ it was better, and
| now I have proof.
|
| Because you are giving an OTP to the website, instead of the
| website giving a push notification to you, OTP mitigates this.
| It's also just better and way less invasive.
|
| Google lets you use OTP, but only as a back-up option to having a
| phone and using push notifications. Apparently microsoft as well.
| Many financial institutions still use SMS for MFA, not wanting to
| use OTP or app probably because it's "too technical" for older
| people who comprise the lion's share of investors.
|
| PLEASE, can we all just use OTP already.
| AlexandrB wrote:
| You used to be able to add OTP and then remove the SMS 2 factor
| from your Google account to have OTP-only. Is that no longer
| possible?
| thatnerdyguy wrote:
| Isn't OTP vulnerable to MITM attacks?
| mk12 wrote:
| Skip OTP, give us FIDO2/Webauthn for everything. OTP is
| vulnerable to phishing.
|
| I was pleasantly surprised when both Bank of America and
| Vanguard leapfrogged from SMS MFA to security keys. I bought 3
| and started using them for every service that allows me to.
| Even better are services (e.g. Bitwarden, GitHub) that don't
| restrict to security keys, then MacBook Pro and iPhone Touch ID
| can be registered as well.
| [deleted]
| unethical_ban wrote:
| I came in to say, perhaps push notifications are less secure than
| users typing in their TOTP.
|
| However, as someone else mentioned, this is a solved problem by
| prompting the user to select the correct number/symbol shown by
| Service Provider. It's a clever, implemented way of making the
| user understand intuitively "I should only respond to these
| messages if I am actively logging in to a system".
| zokier wrote:
| Good reminder that in 2fa both the factors should be secure; 2fa
| complements instead of replaces secure password practices.
| tialaramex wrote:
| "Secure password practices" are at best aspirational and in
| most cases almost worthless.
|
| If you value security give employees unphishable FIDO tokens,
| require them everywhere you can (e.g. Microsoft Office 365),
| and make requiring them a necessary part of tenders for new IT.
| If you want two factors require the tokens to do that for you
| instead of messing about with layers of extra stuff.
|
| I can more or less rationalise outfits which don't really care
| about their users anyway, like Twitter, having rubbish security
| but I don't understand any _employer_ including my own that
| still thinks _passwords_ are a good idea in the twenty first
| century. Yubico will sell you tokens your employees can use to
| entirely defeat a bunch of the "Top problems" that are
| probably on the whiteboard of your "Head of cyber security" or
| whatever, for less than you probably spent on their Christmas
| meal last time there wasn't a pandemic.
|
| Crazy.
| plasma wrote:
| Azure AD MFA has a preview feature that helps mitigate this
| somewhat, https://m365security.net/2021/11/21/how-to-enable-mfa-
| code-m...
|
| Instead of getting a contextless "approve?" notification, you're
| shown the app asking for approval, location, and also asked to
| enter the two digit number shown on the apps login screen
| requesting login. You can also respond "this isn't me".
|
| This means you can't really approve such an attempt because you
| need to enter a two digit code too.
| subhro wrote:
| Ahem... YubiKey... maybe?
| genmud wrote:
| For which account? At least a few years ago, some of their apps
| or certain workflows didn't support certain MFA methods like
| u2f token auth and stuff like that.
| ziml77 wrote:
| If only. If there was a good mainstream push for them we'd
| actually end up seeing decent support. Not just on the service
| side but also on the local hardware side. NFC would be the way
| to go since you don't have to worry about 3 different ports
| (USB-A, USB-C, and Lightning). Laptops could have a receiver
| near the keyboard and desktops could either have a standalone
| receiver sitting on the desk or one embedded in or mounted to
| the monitor.
| Nextgrid wrote:
| I remember having a Dell laptop with built-in NFC & contacted
| smartcard reader. I wish this caught on, or at least the NFC
| bit.
| dividedbyzero wrote:
| Are there Yubikeys or similar hardware tokens that work on
| mobile devices that don't involve dongles? My NFC-enabled one
| is pretty much useless on iOS sadly.
| sebazzz wrote:
| NFC enabled Yubikeys work fine on iOS, but not if you protect
| them with a PIN code.
| ziml77 wrote:
| Shouldn't the accounts be locked out after enough failed 2FA
| requests? If someone is managing to spam those requests, it means
| that they have the password and therefore the password needs to
| be changed.
| littlecranky67 wrote:
| What a coincidence, I just opened a support request to MS because
| main M365 web apps (outlook, onenote) require re-login every 6
| hours of "idle" (read: closed tabs). So on average, I login 3-4
| times a day just into those two services (even though they use
| the same account, you need to login for each app individually!).
| Now for free/non-business users it seems longer sessions are
| possible, but MS claims there are 6hour limits for M365
| subscribers [0]. As I am the M365 admin, it seems this setting is
| also not adjustable, but I will wait for the support response.
|
| My experience in transitioning from GWorkspace have been horrible
| - M365 seems to be a patchwork from various MS products, bundled
| together but not nearly as consistent as GSuite. In the setup of
| my single-user, two-domain Email Account I had to login into 3
| separate Admindashboards (Main admin portal, Exchange Admin
| Dashboard, new Security Center dashboard) for basic tasks. I
| encountered various errors and redirection loops, plus super
| outdated documentation/tutorials (link leading to nowhere, or
| documentation referring to older dashboard/uis). It seems M365 is
| just a mess at this point.
|
| [0]: https://docs.microsoft.com/en-
| us/microsoft-365/Enterprise/se...
| genmud wrote:
| Microsoft has consistently had one of the worst account
| management stories on the internet. For being such a huge company
| where one of their main "things" has been a directory/account
| management system, I wish they would not require people to have
| dozens of different accounts to use their services.
|
| They have started to integrate GitHub accounts into stuff, which
| for the services that support it are an improvement, but its now
| yet _another_ login to the fray.
| blibble wrote:
| if I have to have a microsoft account to use GitHub I'm moving
| all my stuff to GitLab
| tempnow987 wrote:
| For a while they had work and personal accounts using the same
| email but different passwords!
|
| There were some really weird loop login situations you just
| could not break - perhaps in part due to account type confusion
| or an existing login or legacy account stuff on old accounts.
|
| I was an early Microsoft Passport user, not sure if that's hung
| around as well.
|
| In fairness the google home user vs apps user distinction is
| also annoying (can't share google home control with various
| google account types etc).
| notimetorelax wrote:
| Unfortunately social (aka viral) accounts are inherently
| different from corporate accounts (e.g. Google Workspace).
| Although you might be the same person you might not want
| those accounts to be mixed, many people on purpose carry 2
| phones to keep this separate. Microsoft's implementation is
| arcane and old, but even if it weren't you'd still have
| difficulties using a single account. With 2FA it just becomes
| annoying.
|
| That said I really, really dislike login practices that
| require me to relogin after certain time. When did anyone had
| to relogin into gmail? Why all other services keep expiring
| their logins?
| bchanudet wrote:
| Not actually disagreeing with your comment, but for what
| it's worth, I've been running Gmail, Agenda and Google Chat
| in rambox, and approximately once every two weeks the
| session "die" and I have to log in again.
| jsnell wrote:
| Is that a Workspace account? Those have configurable (by
| the admin) session lifetimes.
| jsnell wrote:
| The tradeoffs with session length are actually quite
| interesting. Obviously infinite sessions are the best in
| terms of the initial friction, and thus be great for
| creating user engagement and minimizing the number of users
| who drop off the service due to having to log in again. And
| even if the users stick, if they need to log in too often
| they'll hate it (as seen all over these comments).
|
| But on the flipside, the infinite session might not be a
| benefit in the long term. A user who signs in just once
| when creating account will have no idea of how to log in.
| They'll have forgotten their password because they only
| used it the once, they've lost access to their recovery
| email account due to changing jobs, etc. And while any
| single one of these issues would have been trivial to fix
| if noticed quickly, letting them pile up for a year means
| you might have very few ways of proving it really is you
| when that nominally infinite session finally gets killed
| for some reason.
|
| I very nearly had this happen last month. I had been
| intending to close an old phone number from a different
| country, where I haven't lived in 15 years. But I also
| happened to try to log into a PSN account for the first
| time in years (consoles basically never require new
| logins); the password mysteriously did not match the one
| that was stored in my password manager, and it was only
| that old phone number with weeks left to live that got me
| back in.
| stonemetal12 wrote:
| >you might be the same person you might not want those
| accounts to be mixed,
|
| Yeah, but my work account is tied to my work email and my
| personal account is tied to my personal email. Not sure why
| anyone would want their personal account tied to their work
| email and vice versa.
| macintux wrote:
| I have two very different MFA tools, one for my employer and one
| for the company to whom I'm contracted out: Microsoft
| Authenticator for the former, PingID for the latter.
|
| It's interesting to compare the two, because they operate very
| differently on my Watch, my primary tool for this. Authenticator
| sometimes fails because my Watch face goes inactive (and in fact
| it's a very clumsy Watch app overall), something that never
| happens with PingID.
|
| Authenticator has the advantage, however, in that it forces me to
| match one of three integers against the value presented in the
| browser, and unlike Ping it tells me what I'm authenticating. To
| some extent this might mitigate the fatigue attack.
| DrBoring wrote:
| I use Authenticator (on my phone) for multiple accounts. Some
| accounts will give me the 3 integers challenge, and others will
| make me enter my phone unlock code.
| pqdbr wrote:
| The backend should use an exponential backoff to block repeated
| failed MFA requests within a short period of time like the one
| demonstrated in the video.
| ttul wrote:
| This is why you have to give the enduser a way of authenticating
| the authenticator. The well-designed Adobe Account Access app
| often presents the user with a random number that they have to
| tap on in the authenticator app. The authenticator app presents
| that number along with some other random numbers, asking the user
| to pick the correct one.
|
| The random number list is not always presented. I presume that
| Adobe skips presenting the number challenge if the user is
| logging in with a relatively fresh cookie or from a recently
| associated device. But I guarantee that login attempts from a new
| device would prompt this more strict authentication step.
|
| Microsoft now appears to do this (thank you, Traubenfuchs).
| dfxm12 wrote:
| My bank used to show me a picture that I specified, after I put
| in my username, but before I put in my password. I knew that if
| I was being shown an odd picture, I either typed in my username
| incorrectly, or I was not logging into my bank!
|
| I think would make scams more obvious, even in the face of MFA
| fatigue!
| Nextgrid wrote:
| Surely an attacker can just proxy this? Seems like security
| theatre to me.
| aaronharnly wrote:
| They only show the picture after you have logged in
| successfully from the device. If it is a new device (or
| attacker), the picture is blank and the site says something
| like "first time using this device?" So it helps against
| phishing or a MITM that doesn't intercept the real site
| cookies.
| motoboi wrote:
| This is for phishing attacks with lookalike domains and
| sites. Pretty common in the web banking world.
| Nextgrid wrote:
| Yes but I'm pretty sure the lookalike domain proxy your
| username and the "security picture" back to the real
| domain to make it look legitimate.
| jakub_g wrote:
| Yep. This is kinda useful as an indicator whether you wrote
| login correctly (wrong pic = wrong login) and to weed out
| the lowest quality phishing, but for anyone who's not a
| clown it should be easy to recreate the flow and hence,
| it's actually even harmful (you think you get assurance
| you're not scammed while getting scammed).
|
| Edit: one thing to make it more bulletproof would be bank
| rejecting all calls that look like serverish initiated (AWS
| etc), then the attacker would need some genuinely looking
| botnet to not get blocked by the bank due to suspicious
| volume from same IP pool. Raises the bar for attack, but
| still, serious attacker can mitigate this.
| joshuaissac wrote:
| Yahoo used to do this, called Yahoo! Sign-In Seal. Not sure
| if they still do it.
| cube00 wrote:
| Anyone remember which set of keys they had? https://security.
| stackexchange.com/questions/41247/changing-...
| [deleted]
| stavros wrote:
| Google does that as well.
| Traubenfuchs wrote:
| Microsoft Authenticator does that. Outlook.com logins need you
| to press the right number in Microsoft Authenticator.
| jiggawatts wrote:
| But enterprise users don't!
|
| The more important the system, the worse Microsoft's MFA
| security is.
|
| Their strongest protection is for XBox accounts.
|
| Because they know that their users value their personal
| Minecraft skins more than billions of dollars worth of their
| employer's stuff.
| thereddaikon wrote:
| That's not it at all. Its difficult to get buy in on
| stricter security practices in an organization because
| people dont like to be hassled. Enterprise security is
| always a balancing act with user inconvenience.
|
| Microsoft can get away with it in Xbox because they can set
| the terms for how an individual gets to access the service.
|
| An individual consumer doesn't have much of a choice but
| trying to force the same terms on business users could
| cause them to not use it at all or jump vendors.
| slaymaker1907 wrote:
| You can definitely use this in some enterprise contexts.
| This is what I usually do for logging into Azure.
| judge2020 wrote:
| Enterprises have very fine-grained ways to manage the 2fa
| flow. My AAD-based account requires I type in the full
| number on the Authenticator app; not choose from 3 numbers.
|
| https://docs.microsoft.com/en-us/azure/active-
| directory/auth...
|
| https://docs.microsoft.com/en-us/azure/active-
| directory/auth...
| duskwuff wrote:
| > Because they know that their users value their personal
| Minecraft skins more than billions of dollars worth of
| their employer's stuff.
|
| Or because the XBox team isn't beholden to corporate
| clients, so they're much more free to make changes which
| affect user workflows.
| Kliment wrote:
| That's actually shown in the article as a mitigation strategy
| formerly_proven wrote:
| > How to Mitigate Push Notification Spamming
|
| Don't use TOTP?
|
| Edit: As you've noticed, this is not the right word here.
| Ansil849 wrote:
| Push notifications are a separate form of 2FA, they're not
| TOTP. If anything, enabling TOTP and disabling push-based 2FA
| would solve the problem.
| deathanatos wrote:
| > enabling TOTP and disabling push-based 2FA would solve the
| problem.
|
| ...this would be _even more_ fatiguing than the status quo
| for users...
| tempnow987 wrote:
| I use the yubikeys - they seem pretty good and never had a
| problem unless computer was hard to plug into.
|
| I also use google authenticator which is TOTP. Never had a
| problem there either.
|
| I will say that I like the google login flow. MFA is only needed
| ONCE every 30 days per device. That's the right tradeoff. A
| business bank I deal with is MFA on every login (with an org
| login then an employee login) AND MFA on various transactions.
| That really is instant MFA fatigue! I'm certain no one is even
| matching up things anymore (it'll do the MFA to approve "1
| transaction" with no details on trx). They do have a phone call
| method, but same issue, press X to approve "2 transactions".
| BrandoElFollito wrote:
| > AND MFA on various transactions
|
| This is actually reasonable. there are some transactions that
| require re-authentication to make sure you are the person
| behind the screen.
|
| This is in swift contrast with question from finance dept such
| as "how long of a screen timeout is secure?". To what I respond
| "about 10 seconds - the time you need to walk to the door".
| This is "not acceptable" - to which the answer is re-
| authentication but his requires them to actually think about
| what is important and recode the app.
| sebazzz wrote:
| Also for Microsoft accounts? When I want to use my Yubikey for
| my Microsoft Account, it requires me to protect the key using a
| PIN. But when I protect it with a PIN, I can't use it anymore
| via NFC on iOS.
| tempnow987 wrote:
| No, not for MS accounts unfortunately. They also steer users
| towards their authenticator. Fine if you have one account,
| but in a business users are on a lot of platforms. The pin vs
| password / windows hello stuff on windows is also sometimes
| annoying / broken.
| deathanatos wrote:
| The problem here is MS's terrible MFA & "SSO" implementations. If
| I didn't need to MFA multiple times per day into Azure1 (i.e., if
| I could sign in truly _once_ per, say, 24 hours), and if MFA _was
| just a literal MFA_ 2, the fatigue would not be so incredibly
| high to begin with. Solutions like a Yubikey Nano are going to
| seem like future tech to anyone that has to put up with MS
| Authenticator.
|
| All of the articles suggestions just seem to make more work for
| the alright overburdened user. Fixing the fatigue at its root is
| what is needed. (But the article is oddly targeting
| administrators, for whom such a fix is impossible, not ... MS
| themselves.)
|
| 1different Azure tenants, despite being tied sort of to the same
| user, require separate MFA/auth sequences. In a separate AAD
| tenant, my user is technically separate, but also technically
| not; best I understand it is that it is sort of like a shadow
| user ("guest", in AAD) to my real user. AAD knows they're
| connected ... but not well enough to matter for MFA.
|
| 2MS Auth requires a double PIN entry on the phone in order to
| respond to an MFA. It used to be you could just tap the
| notification, but at some point, that got axed, and the fatigue
| went up like 3x. MFA is supposed to be proof of possession (I
| have the phone), not proof of knowledge (password, pin). An non-
| pin-protected notification is fine; the password still covers the
| "what you know".
| amoshi wrote:
| >It used to be you could just tap the notification, but at some
| point, that got axed, and the fatigue went up like 3x.
|
| Must be your tenant settings or something, my phone just gets a
| single Allow/Disallow notification that takes a fraction of a
| second to tap. Surprisingly though, I can tap it from the
| lockscreen too, without unlocking the phone.
| jeromegv wrote:
| You could disable this setting on iOS to force unlock to see
| the notifications.
| blakes wrote:
| Sounds to me that MFA is not setup correctly for you or the
| Azure tenants you are logging into.
| kiwijamo wrote:
| What the parent describes is exactly how it works for my
| employer's O365 system. I get MFA requests on a regular basis
| even on known devices. Ticking the 'dont ask again' option
| has no effect. Meanwhile Google on the same devices nags me
| once a week at the most.
| bastardoperator wrote:
| Same, I get a request from the authenticator app, login in
| via facetime and click a dialog that asks me to authorize
| (yes/no). I don't love it, but it's pretty simple.
| teeray wrote:
| It's irritating that the "something you have" for most things
| can't be "a laptop with a TPM." It's functionally equivalent to
| phone-based MFA.
|
| The only improvement would be some screen + touch approval
| (like the touchbar had for privilege elevation). That would at
| least leave a human in the MFA loop in the event of machine
| compromise.
| deathanatos wrote:
| To add to what jsnell said, the Yubikey requires a tap. A
| physical interaction from someone sitting at a laptop, which
| is something a trojan cannot accomplish, and a tiny barrier
| from the human that doesn't materially contribute to fatigue.
|
| Now, I don't really know how much of a difference it makes
| for trojans, since presumably the resulting token/cookie/etc.
| could just be compromised in place. One might hope is scoped
| or at least of a more limited lifetime, I suppose.
|
| (Compromise by trojan is one of those "all roads seem to end
| in pwned" events to me.)
|
| I will note that it at least requires some authentication to
| happen prior to compromise, so if some IDS is blaring off
| alarm bells, all hope might not be lost if the device can be
| cut off fast enough.
|
| (The point here, though, vs. MS Authenticator, is that
| Authenticator adds nothing but massive amounts of friction
| over the supposed Yubikey state of affairs. Edit: although,
| see another of my comments: apparently MS Authenticator's
| behavior is configurable -- for uh, some reason --_so I've
| switched it to "less annoying" mode. So, I'll forgive MS a
| touch, but AIUI it's the default to fatigue the user...)
| jsnell wrote:
| Not quite equivalent. When an attacker compromises your
| laptop, they'll get all of the factors in one go: steal all
| your bearer tokens, steal your password with a key logger,
| and operate the TPM remotely.
| alisonkisk wrote:
| vorpalhex wrote:
| They would have to break your hard drive encryption AND
| have the laptop itself.
|
| Doable by a nation state? Sure. By Bob the mugger? No.
|
| That is fine for 98% of users.
| littlecranky67 wrote:
| Isn't the idea that you cannot compromise the TPM remotely?
| At least Apples SecureEnclave require physical access and
| the fingerprint.
| jsnell wrote:
| You cannot compromise the TPM remotely (e.g. read the
| keys stored in it, decrement increment-only counters),
| but most of the point of a TPM is that programs can call
| an interface and have the TPM perform operations using
| those keys. If someone compromises the machine enough to
| be able to run arbitrary code, they can issue those TPM
| operations just the same as the legit software.
|
| What you describe is somewhat related, in that one can
| use a combination of a TPM + some kind of a biometric
| sensor to build a system like TouchID or Windows Hello,
| and that combination would not be remotely operable. But
| if e.g. your mTLS client cert is stored in the TPM, you
| certainly would not expect to swipe a fingerprint reader
| on every connection that the browser establishes to the
| mTLS domains.
| lima wrote:
| Yep. Azure is just awful.
|
| With Google SSO, I log in and do MFA once per year or so on
| trusted devices and any further prompt beyond that would be
| _extremely suspicious_. With Azure, I have to complete the
| sequence like a hundred times per day.
| TuringNYC wrote:
| Forget Azure. Even Outlook/Teams flips apps between
| Teams/MSAuthenticator over and over. My iPhone goes into
| strange loops. Sometimes, its logged-out but doesnt show it
| and just doesnt update anything. Its nuts how vast the chasm
| is between Azure/Outlook/Teams vs AWS/Google.
| sebazzz wrote:
| > Solutions like a Yubikey Nano are going to seem like future
| tech to anyone that has to put up with MS Authenticator.
|
| Except Microsoft requires you to protect your Yubikey with a
| pin-code (even the consumer accounts), instantly making it
| unusable for your iOS device if you use it via NFC.
| nightski wrote:
| The funny thing is on Windows once you set up your Yubikey in
| Windows Hello it doesn't even matter. You are still forced to
| use the PIN and at that point why bother with the key.
|
| I'd much rather skip the pin and just use Yubikey lol.
| jokethrowaway wrote:
| All European / UK banks I've tried are just as bad as azure as
| of lately. Thanks SCA, I guess.
|
| What's the purpose of authenticating me 8 times in the span on
| 10m.
|
| Open banking api that allow you to add accounts from other
| banks were promising but they turned out to be half baked
| versions, so in practice I still have n bank apps ok my phone.
| Not to mention I could not do online banking without my phone.
|
| I've been seriously considering automating all of that and just
| have an application with a master password which access
| encrypted multiple banks secrets and authenticate / perform
| local mfa as required and let me have the banking experience
| (for a single bank) of, say, 10 years ago.
|
| All of this for what? If someone hacks my account and steal my
| money I hope the bank mafia would be able to sort out things
| with the target bank and hallucinate a balance without the
| theft (especially because they flag tons of payments as
| fraudulent, requiring me to call them).
| judge2020 wrote:
| > double PIN entry
|
| Are you talking about 'settings->app lock'? This setting
| assumes you have Touch ID or Face ID set up; either the iOS API
| prompts for your PIN if you don't have those two, or Microsoft
| Authenticator falls back to asking for it.
|
| https://developer.apple.com/documentation/localauthenticatio...
| deathanatos wrote:
| Well, I'm on Android, so that wouldn't apply, at least not
| directly. I've never investigated biometrics. I still don't
| think they're necessary here.
|
| Tapping the notification, nowadays, requires unlocking the
| screen. That's PIN entry #1. Then, MS Authenticator itself
| requires you to enter your lockscreen PIN, for #2.
|
| (Some time ago -- months? years? -- it used to be you could
| acknowledge the MFA request from the lock screen.)
|
| Edit: OMG it's a _setting!_ I 've disabled this nonsense. I
| swear I looked when it was first introduced, but IDK. MS &
| defaults. I love Cunningham's Law sometimes, this is going to
| make MS Auth somewhat less annoying.
| mrweasel wrote:
| The new version of the Danish national authentication system had
| to disable push notification for the same reason. Attackers would
| just hammer a person with push notification until the user
| accidentally authorized a login.
|
| I gave up on the Microsoft authenticator and just switched to
| manually enter tokens from an TOTP app. The push/popup thingy was
| a nice idea, but it's annoying to use day to day.
| joenathanone wrote:
| Or they change just gate the notifications/MFA requests server
| side, limit the number of request and set an increasing delay
| between request.
| dane-pgp wrote:
| So if an attacker had access to 2 million IP addresses[0] and
| they were attacking a country where maybe less than 5 million
| people[1] have an account on the national authentication
| system, how easy would it be for them to DDoS the system for
| a week?
|
| Presumably the attackers would choose the week when people
| were supposed to fill in their tax forms, or (if the country
| was foolish enough to allow online voting) the week of an
| election.
|
| [0] https://www.bbc.co.uk/news/technology-11531657
|
| [1] https://www.worldometers.info/world-population/denmark-
| popul...
| autoexec wrote:
| > I gave up on the Microsoft authenticator and just switched to
| manually enter tokens from an TOTP app.
|
| My office considered Microsoft authenticator, but there was
| push back after looking at their privacy policy and how much
| access the app wanted on people's personal devices (location,
| storage, contacts, etc). The nice thing about a little TOTP
| hardware token is that you avoid the push notification problem
| and it doesn't collect massive amounts of your data to use
| against you or sell to 3rd parties.
| judge2020 wrote:
| Which one in particular? These are quite bog-standard Android
| permissions. https://i.judge.sh/QjsR4/m_GdOf1iig.png
| autoexec wrote:
| Even that wants your GPS location (why?), camera (and
| therefore microphone) access, and storage access. Those
| kinds of permissions have been 'normalized' sure, but
| they're also 100% unnecessary considering the job is done
| just as well (or better as it's without security issues
| like the one in the article) with a tiny hardware token
| that requires literally none of those things and couldn't
| do them if it wanted to.
|
| If you aren't currently handing your location data over to
| Microsoft 24/7 right now, why should you start?
| judge2020 wrote:
| In particular:
|
| GPS is for the audit log. I can go into my AAD security
| center (security.microsoft.com) and view a history of
| logins in my org that include IP address and approx
| location.
|
| Camera: QR code enrollment
| https://support.microsoft.com/en-us/account-billing/add-
| your...
|
| Storage is likely for backing up or temporary files, but
| i'm not sure.
| autoexec wrote:
| > GPS is for the audit log. I can go into my AAD security
| center (security.microsoft.com) and view a history of
| logins in my org that include IP address and approx
| location.
|
| You can already get a rough idea of location using just
| the IP address. Surely enough to know if your user logged
| in from the same country/state/ISP as usual. Is that
| really a situation where you need pin point location
| accuracy? Do you really need to know which room of their
| house they were in?
|
| Whatever fringe feature is used to justify the access
| it's not required for authentication and there's nothing
| to enforce that those are the only situations in which
| Microsoft will use the access you've given them.
| Microsoft and Google are in the data collection/ad
| pushing business and I can't blame folks for wanting to
| limit the amount of data they leak to those parties.
| slaymaker1907 wrote:
| It wants your GPS location for the same reason banks look
| at your location. Even if they still let an auth request
| go through, they can alert you through email if a request
| is approved from an unexpected location. Camera
| permission is necessary for QR codes so you can setup the
| authenticator. No idea what the mic permission is about
| though.
| autoexec wrote:
| Your IP should provide them (and your bank) enough
| location info to alert you if your account is accessed
| from another state/country. QR codes weren't needed to
| set up the hardware token, so that feels like a feature
| created to justify the increased access (also phones come
| with their own camera apps capable of reading a QR code
| or at the very least photographing one). The mic access
| is a side effect of android's leaky permission system
| which hands out the ability to record audio to any app
| that wants access to your camera.
| Spooky23 wrote:
| The old solutions are best IMO. Challenge/response where
| there's a knowledge element.
|
| TOTP is too easy to share or steal, especially for targeted or
| familiar person attacks. I've encountered fraud scenarios where
| soon to be ex-spouses accessed an account via a iPad with authy
| to get at someone.
|
| Fundamentally, it's too easy to think you have MFA, but you're
| actually secured with a shared, no-factor-auth iPad. (People
| share work credentials in 1Password for convenience) Mitigation
| of password spray is cool, but not secure.
| Ansil849 wrote:
| > TOTP is too easy to share or steal, especially for targeted
| or familiar person attacks. I've encountered fraud scenarios
| where soon to be ex-spouses accessed an account via a iPad
| with authy to get at someone.
|
| If your threat model is 'person in proximity of other person
| being able to access the second factor' then no method of 2FA
| is safe. Even if you use U2F, the "soon to be ex-spouses" can
| easily take the dongle from their spouse's keychain, in fact
| even easier than they could get their OTP codes.
| tialaramex wrote:
| > Even if you use U2F, the "soon to be ex-spouses" can
| easily take the dongle from their spouse's keychain
|
| _Stealing_ the physical object is quite a step up from
| merely using something you have access to that was never
| de-authorised.
|
| And if you steal say, my Security Key 2 from Yubico, it
| still needs its PIN. Worse the _phone_ I use to
| authenticate on mobile sites requires my fingerprint, which
| while far from _impossible_ to fake is definitely another
| step beyond "I just assumed I was allowed" and now you've
| also stolen my phone, how long do you think you have before
| I notice?
| Ansil849 wrote:
| I'm not sure what contrived scenarios you're envisioning,
| but if the threat model is, once again, 'person in
| proximity', they don't have to "steal" anything, they can
| simply use it, e.g. authenticate with the key while
| you're in the shower. And if in your model they
| presumably already know your password, it stands to
| reason they also know your PIN.
| Spooky23 wrote:
| Proximity of what?
|
| With a hardware token, it's very clear that the token is
| in the physical possession of the user or not. It can
| only be in one place at a time. With a challenge/response
| or PIN, you mitigate the risk of the user losing
| possession.
|
| With a TOTP token, if a user puts Authy or 1Password on
| the family iPad so their kid has access to MFA for the
| PlayStation, he has also provided the kid or other
| household member/visitor with access to the token. The
| token is wherever Authy is.
|
| The point is TOTP shares all of the risks associated with
| things like SSH private keys. It has value, but is
| inferior to many other types of token.
| Ansil849 wrote:
| > With a TOTP token, if a user puts Authy or 1Password on
| the family iPad so their kid has access to MFA for the
| PlayStation
|
| My little one plays with my keychain, which has my U2F
| keys on it, all the time. She likes the light the BLE U2F
| fob has.
|
| I don't see the distinction you're making between TOTP
| and U2F if your threat model is 'someone in your house',
| the two are virtually indistinguishable in such a
| scenario - in fact, the U2F is _less_ secure. Your "soon
| to be ex-spouse" can easily use your hardware token while
| you're in the shower, as I said above.
| [deleted]
| shinryudbz wrote:
| I've been running into a similar-ish problem which involves
| someone creating a bunch of gmail accounts and linking my account
| to it. Whenever that happens, Google sends me an email notifying
| me with an option to remove the linking. However, since I never
| initiated that action to begin with, I start worrying that the
| email could be a phishing attempt, so I don't click any of the
| links. But as a result, I start getting email notifications
| whenever someone logs to those accounts from random countries on
| random phones.
|
| Lately they've started creating Facebook accounts with my email.
| Despite me not verifying the email, Facebook continues to send me
| login notifications.
|
| Has this happened to anyone? I don't quite understand the attack
| vector, but my guess is that they're trying to bomb me with
| notifications and if/when they start realizing that I'm clicking
| on the links in the notification emails, they can start sending
| out phishing emails with malicious URLs.
| nerdponx wrote:
| Is it possible that it's just someone using your email address
| for bot accounts?
| shinryudbz wrote:
| It's def possible, but even if that were the case, I'd still
| be nervous about clicking on the email links. Given the lack
| of tools for dealing with this issue, I'll assume
| Google/Facebook haven't seen this problem in a large enough
| scale yet.
| [deleted]
| mvellandi wrote:
| I thought at first it was targeting MFA students (Master of Fine
| Arts, Creative Writing) using Office365, maybe ransomwaring their
| stories and poems. Who could be so cruel?! :)
| DrBoring wrote:
| What a fun term "MFA fatigue".
|
| One day I counted the number of times I needed to authenticate in
| order connect to my client's web server. The count was 8.
|
| 1 Unlock my PC 2 Login to client corp VPN 3 Unlock my phone 4
| Enter PIN to MFA app to confirm login to VPN 5 Login to client
| corps' credentials generation app. 6 Unlock my phone again
| (screen lock has timed out by now) 7 Enter PIN to MFA app to
| confirm login to credentials generation app. 8 Login to client's
| server.
|
| It reminds me of the "8 different bosses" scene from the film
| _Office Space_.
| postalrat wrote:
| Why is webauthn being adopted so slowly? Why do we have passwords
| at all? Why doesn't the US government calculate how much taxes
| each person owes and send them a bill/check and let them dispute
| it?
| Nextgrid wrote:
| > Why is webauthn being adopted so slowly? Why do we have
| passwords at all?
|
| Microsoft's WebAuthn implementation was completely unusable in
| Safari until a few months ago for me and would just fail at
| enrollment with a useless, generic error - not sure who is to
| blame but the point is that it's much more complex than
| passwords which are merely a text-based secret that only
| requires a text input field.
|
| > Why doesn't the US government calculate how much taxes each
| person owes and send them a bill/check and let them dispute it?
|
| That's a political problem, but frankly not too far off from
| the 2FA situation at hand where every company insists on using
| their own, non-interoperable, often shitty authenticator (a
| comment above raises an issue with the various not-
| functionally-necessary permissions that the Microsoft
| Authenticator app requires on Android) instead of adhering to
| an open standard such as TOTP (yes it has issues, but the world
| would still be much better off if we _at least_ converged on
| that).
| tempfs wrote:
| My favorite fuckup is when the MS Authenticator itself tells me
| that it needs me to use MS Authenticator to verify who I am, so
| it sends a code to itself.
|
| You can't make this shit up.
___________________________________________________________________
(page generated 2022-02-16 23:00 UTC)