[HN Gopher] Current MFA fatigue attack campaign targeting Micros... ___________________________________________________________________ Current MFA fatigue attack campaign targeting Microsoft Office 365 users Author : WaitWaitWha Score : 110 points Date : 2022-02-16 18:17 UTC (4 hours ago) (HTM) web link (www.gosecure.net) (TXT) w3m dump (www.gosecure.net) | codeflo wrote: | Microsoft's are the only services I use where I regularly have to | delete all cookies because Teams or something gets stuck in a | strange redirection loop that doesn't happen in clean browser | instances. Good times. | | I think Microsoft is also responsible for an (at the time a bit | embarrassing) account breach I suffered. I have no proof, but | something very weird happened. | | Way back when, I think my Skype account was hacked using a | password that no longer should have existed. This happened some | time after the forced migration to Microsoft accounts. The new | password was unique and password manager-generated, and no | machine of mine was ever compromised -- luckily. | | However, my old Skype password had been embarrassingly weak | (different times), and I had only upgraded everything to strong | passwords a short time before that. I remember that there was no | user-visible way to change the old Skype password or even see the | account anymore -- I thought it was deleted during the migration. | | Yet someone managed to spam all my contacts, some of which got | very angry with me personally. My best guess is that they had | accidentally exposed an API backend that still used the old | account database. Again, I don't really know and can't prove it. | There were hints in forums of other users with that problem, but | never any official answer. | | My actual point is, Microsoft isn't that great at all of this. | Whenever they buy something and force migrate all accounts, the | user experience gets worse. | | I have no idea why so many enterprise IT departments have such a | strong preference for their stuff. It's not like any of it is | particularly easy to set up. | robertlagrant wrote: | I think there is a genuine affinity for GUIs in a lot of IT | departments. If there's no GUI then it's completely alien. | | Others - like me - get worried when there _are_ GUIs. So OS | manufacturers can 't win! | olliej wrote: | This is why "do you want to allow browser to do X" dialogs are | not a good security model for the myriad features people keep | trying to get added to the browser. | | Dialog fatigue is a well known issue, and has been for decades at | this point. | djhaskin987 wrote: | OTP. OTP, OTP, OTP. I could feel in my _bones_ it was better, and | now I have proof. | | Because you are giving an OTP to the website, instead of the | website giving a push notification to you, OTP mitigates this. | It's also just better and way less invasive. | | Google lets you use OTP, but only as a back-up option to having a | phone and using push notifications. Apparently microsoft as well. | Many financial institutions still use SMS for MFA, not wanting to | use OTP or app probably because it's "too technical" for older | people who comprise the lion's share of investors. | | PLEASE, can we all just use OTP already. | AlexandrB wrote: | You used to be able to add OTP and then remove the SMS 2 factor | from your Google account to have OTP-only. Is that no longer | possible? | thatnerdyguy wrote: | Isn't OTP vulnerable to MITM attacks? | mk12 wrote: | Skip OTP, give us FIDO2/Webauthn for everything. OTP is | vulnerable to phishing. | | I was pleasantly surprised when both Bank of America and | Vanguard leapfrogged from SMS MFA to security keys. I bought 3 | and started using them for every service that allows me to. | Even better are services (e.g. Bitwarden, GitHub) that don't | restrict to security keys, then MacBook Pro and iPhone Touch ID | can be registered as well. | [deleted] | unethical_ban wrote: | I came in to say, perhaps push notifications are less secure than | users typing in their TOTP. | | However, as someone else mentioned, this is a solved problem by | prompting the user to select the correct number/symbol shown by | Service Provider. It's a clever, implemented way of making the | user understand intuitively "I should only respond to these | messages if I am actively logging in to a system". | zokier wrote: | Good reminder that in 2fa both the factors should be secure; 2fa | complements instead of replaces secure password practices. | tialaramex wrote: | "Secure password practices" are at best aspirational and in | most cases almost worthless. | | If you value security give employees unphishable FIDO tokens, | require them everywhere you can (e.g. Microsoft Office 365), | and make requiring them a necessary part of tenders for new IT. | If you want two factors require the tokens to do that for you | instead of messing about with layers of extra stuff. | | I can more or less rationalise outfits which don't really care | about their users anyway, like Twitter, having rubbish security | but I don't understand any _employer_ including my own that | still thinks _passwords_ are a good idea in the twenty first | century. Yubico will sell you tokens your employees can use to | entirely defeat a bunch of the "Top problems" that are | probably on the whiteboard of your "Head of cyber security" or | whatever, for less than you probably spent on their Christmas | meal last time there wasn't a pandemic. | | Crazy. | plasma wrote: | Azure AD MFA has a preview feature that helps mitigate this | somewhat, https://m365security.net/2021/11/21/how-to-enable-mfa- | code-m... | | Instead of getting a contextless "approve?" notification, you're | shown the app asking for approval, location, and also asked to | enter the two digit number shown on the apps login screen | requesting login. You can also respond "this isn't me". | | This means you can't really approve such an attempt because you | need to enter a two digit code too. | subhro wrote: | Ahem... YubiKey... maybe? | genmud wrote: | For which account? At least a few years ago, some of their apps | or certain workflows didn't support certain MFA methods like | u2f token auth and stuff like that. | ziml77 wrote: | If only. If there was a good mainstream push for them we'd | actually end up seeing decent support. Not just on the service | side but also on the local hardware side. NFC would be the way | to go since you don't have to worry about 3 different ports | (USB-A, USB-C, and Lightning). Laptops could have a receiver | near the keyboard and desktops could either have a standalone | receiver sitting on the desk or one embedded in or mounted to | the monitor. | Nextgrid wrote: | I remember having a Dell laptop with built-in NFC & contacted | smartcard reader. I wish this caught on, or at least the NFC | bit. | dividedbyzero wrote: | Are there Yubikeys or similar hardware tokens that work on | mobile devices that don't involve dongles? My NFC-enabled one | is pretty much useless on iOS sadly. | sebazzz wrote: | NFC enabled Yubikeys work fine on iOS, but not if you protect | them with a PIN code. | ziml77 wrote: | Shouldn't the accounts be locked out after enough failed 2FA | requests? If someone is managing to spam those requests, it means | that they have the password and therefore the password needs to | be changed. | littlecranky67 wrote: | What a coincidence, I just opened a support request to MS because | main M365 web apps (outlook, onenote) require re-login every 6 | hours of "idle" (read: closed tabs). So on average, I login 3-4 | times a day just into those two services (even though they use | the same account, you need to login for each app individually!). | Now for free/non-business users it seems longer sessions are | possible, but MS claims there are 6hour limits for M365 | subscribers [0]. As I am the M365 admin, it seems this setting is | also not adjustable, but I will wait for the support response. | | My experience in transitioning from GWorkspace have been horrible | - M365 seems to be a patchwork from various MS products, bundled | together but not nearly as consistent as GSuite. In the setup of | my single-user, two-domain Email Account I had to login into 3 | separate Admindashboards (Main admin portal, Exchange Admin | Dashboard, new Security Center dashboard) for basic tasks. I | encountered various errors and redirection loops, plus super | outdated documentation/tutorials (link leading to nowhere, or | documentation referring to older dashboard/uis). It seems M365 is | just a mess at this point. | | [0]: https://docs.microsoft.com/en- | us/microsoft-365/Enterprise/se... | genmud wrote: | Microsoft has consistently had one of the worst account | management stories on the internet. For being such a huge company | where one of their main "things" has been a directory/account | management system, I wish they would not require people to have | dozens of different accounts to use their services. | | They have started to integrate GitHub accounts into stuff, which | for the services that support it are an improvement, but its now | yet _another_ login to the fray. | blibble wrote: | if I have to have a microsoft account to use GitHub I'm moving | all my stuff to GitLab | tempnow987 wrote: | For a while they had work and personal accounts using the same | email but different passwords! | | There were some really weird loop login situations you just | could not break - perhaps in part due to account type confusion | or an existing login or legacy account stuff on old accounts. | | I was an early Microsoft Passport user, not sure if that's hung | around as well. | | In fairness the google home user vs apps user distinction is | also annoying (can't share google home control with various | google account types etc). | notimetorelax wrote: | Unfortunately social (aka viral) accounts are inherently | different from corporate accounts (e.g. Google Workspace). | Although you might be the same person you might not want | those accounts to be mixed, many people on purpose carry 2 | phones to keep this separate. Microsoft's implementation is | arcane and old, but even if it weren't you'd still have | difficulties using a single account. With 2FA it just becomes | annoying. | | That said I really, really dislike login practices that | require me to relogin after certain time. When did anyone had | to relogin into gmail? Why all other services keep expiring | their logins? | bchanudet wrote: | Not actually disagreeing with your comment, but for what | it's worth, I've been running Gmail, Agenda and Google Chat | in rambox, and approximately once every two weeks the | session "die" and I have to log in again. | jsnell wrote: | Is that a Workspace account? Those have configurable (by | the admin) session lifetimes. | jsnell wrote: | The tradeoffs with session length are actually quite | interesting. Obviously infinite sessions are the best in | terms of the initial friction, and thus be great for | creating user engagement and minimizing the number of users | who drop off the service due to having to log in again. And | even if the users stick, if they need to log in too often | they'll hate it (as seen all over these comments). | | But on the flipside, the infinite session might not be a | benefit in the long term. A user who signs in just once | when creating account will have no idea of how to log in. | They'll have forgotten their password because they only | used it the once, they've lost access to their recovery | email account due to changing jobs, etc. And while any | single one of these issues would have been trivial to fix | if noticed quickly, letting them pile up for a year means | you might have very few ways of proving it really is you | when that nominally infinite session finally gets killed | for some reason. | | I very nearly had this happen last month. I had been | intending to close an old phone number from a different | country, where I haven't lived in 15 years. But I also | happened to try to log into a PSN account for the first | time in years (consoles basically never require new | logins); the password mysteriously did not match the one | that was stored in my password manager, and it was only | that old phone number with weeks left to live that got me | back in. | stonemetal12 wrote: | >you might be the same person you might not want those | accounts to be mixed, | | Yeah, but my work account is tied to my work email and my | personal account is tied to my personal email. Not sure why | anyone would want their personal account tied to their work | email and vice versa. | macintux wrote: | I have two very different MFA tools, one for my employer and one | for the company to whom I'm contracted out: Microsoft | Authenticator for the former, PingID for the latter. | | It's interesting to compare the two, because they operate very | differently on my Watch, my primary tool for this. Authenticator | sometimes fails because my Watch face goes inactive (and in fact | it's a very clumsy Watch app overall), something that never | happens with PingID. | | Authenticator has the advantage, however, in that it forces me to | match one of three integers against the value presented in the | browser, and unlike Ping it tells me what I'm authenticating. To | some extent this might mitigate the fatigue attack. | DrBoring wrote: | I use Authenticator (on my phone) for multiple accounts. Some | accounts will give me the 3 integers challenge, and others will | make me enter my phone unlock code. | pqdbr wrote: | The backend should use an exponential backoff to block repeated | failed MFA requests within a short period of time like the one | demonstrated in the video. | ttul wrote: | This is why you have to give the enduser a way of authenticating | the authenticator. The well-designed Adobe Account Access app | often presents the user with a random number that they have to | tap on in the authenticator app. The authenticator app presents | that number along with some other random numbers, asking the user | to pick the correct one. | | The random number list is not always presented. I presume that | Adobe skips presenting the number challenge if the user is | logging in with a relatively fresh cookie or from a recently | associated device. But I guarantee that login attempts from a new | device would prompt this more strict authentication step. | | Microsoft now appears to do this (thank you, Traubenfuchs). | dfxm12 wrote: | My bank used to show me a picture that I specified, after I put | in my username, but before I put in my password. I knew that if | I was being shown an odd picture, I either typed in my username | incorrectly, or I was not logging into my bank! | | I think would make scams more obvious, even in the face of MFA | fatigue! | Nextgrid wrote: | Surely an attacker can just proxy this? Seems like security | theatre to me. | aaronharnly wrote: | They only show the picture after you have logged in | successfully from the device. If it is a new device (or | attacker), the picture is blank and the site says something | like "first time using this device?" So it helps against | phishing or a MITM that doesn't intercept the real site | cookies. | motoboi wrote: | This is for phishing attacks with lookalike domains and | sites. Pretty common in the web banking world. | Nextgrid wrote: | Yes but I'm pretty sure the lookalike domain proxy your | username and the "security picture" back to the real | domain to make it look legitimate. | jakub_g wrote: | Yep. This is kinda useful as an indicator whether you wrote | login correctly (wrong pic = wrong login) and to weed out | the lowest quality phishing, but for anyone who's not a | clown it should be easy to recreate the flow and hence, | it's actually even harmful (you think you get assurance | you're not scammed while getting scammed). | | Edit: one thing to make it more bulletproof would be bank | rejecting all calls that look like serverish initiated (AWS | etc), then the attacker would need some genuinely looking | botnet to not get blocked by the bank due to suspicious | volume from same IP pool. Raises the bar for attack, but | still, serious attacker can mitigate this. | joshuaissac wrote: | Yahoo used to do this, called Yahoo! Sign-In Seal. Not sure | if they still do it. | cube00 wrote: | Anyone remember which set of keys they had? https://security. | stackexchange.com/questions/41247/changing-... | [deleted] | stavros wrote: | Google does that as well. | Traubenfuchs wrote: | Microsoft Authenticator does that. Outlook.com logins need you | to press the right number in Microsoft Authenticator. | jiggawatts wrote: | But enterprise users don't! | | The more important the system, the worse Microsoft's MFA | security is. | | Their strongest protection is for XBox accounts. | | Because they know that their users value their personal | Minecraft skins more than billions of dollars worth of their | employer's stuff. | thereddaikon wrote: | That's not it at all. Its difficult to get buy in on | stricter security practices in an organization because | people dont like to be hassled. Enterprise security is | always a balancing act with user inconvenience. | | Microsoft can get away with it in Xbox because they can set | the terms for how an individual gets to access the service. | | An individual consumer doesn't have much of a choice but | trying to force the same terms on business users could | cause them to not use it at all or jump vendors. | slaymaker1907 wrote: | You can definitely use this in some enterprise contexts. | This is what I usually do for logging into Azure. | judge2020 wrote: | Enterprises have very fine-grained ways to manage the 2fa | flow. My AAD-based account requires I type in the full | number on the Authenticator app; not choose from 3 numbers. | | https://docs.microsoft.com/en-us/azure/active- | directory/auth... | | https://docs.microsoft.com/en-us/azure/active- | directory/auth... | duskwuff wrote: | > Because they know that their users value their personal | Minecraft skins more than billions of dollars worth of | their employer's stuff. | | Or because the XBox team isn't beholden to corporate | clients, so they're much more free to make changes which | affect user workflows. | Kliment wrote: | That's actually shown in the article as a mitigation strategy | formerly_proven wrote: | > How to Mitigate Push Notification Spamming | | Don't use TOTP? | | Edit: As you've noticed, this is not the right word here. | Ansil849 wrote: | Push notifications are a separate form of 2FA, they're not | TOTP. If anything, enabling TOTP and disabling push-based 2FA | would solve the problem. | deathanatos wrote: | > enabling TOTP and disabling push-based 2FA would solve the | problem. | | ...this would be _even more_ fatiguing than the status quo | for users... | tempnow987 wrote: | I use the yubikeys - they seem pretty good and never had a | problem unless computer was hard to plug into. | | I also use google authenticator which is TOTP. Never had a | problem there either. | | I will say that I like the google login flow. MFA is only needed | ONCE every 30 days per device. That's the right tradeoff. A | business bank I deal with is MFA on every login (with an org | login then an employee login) AND MFA on various transactions. | That really is instant MFA fatigue! I'm certain no one is even | matching up things anymore (it'll do the MFA to approve "1 | transaction" with no details on trx). They do have a phone call | method, but same issue, press X to approve "2 transactions". | BrandoElFollito wrote: | > AND MFA on various transactions | | This is actually reasonable. there are some transactions that | require re-authentication to make sure you are the person | behind the screen. | | This is in swift contrast with question from finance dept such | as "how long of a screen timeout is secure?". To what I respond | "about 10 seconds - the time you need to walk to the door". | This is "not acceptable" - to which the answer is re- | authentication but his requires them to actually think about | what is important and recode the app. | sebazzz wrote: | Also for Microsoft accounts? When I want to use my Yubikey for | my Microsoft Account, it requires me to protect the key using a | PIN. But when I protect it with a PIN, I can't use it anymore | via NFC on iOS. | tempnow987 wrote: | No, not for MS accounts unfortunately. They also steer users | towards their authenticator. Fine if you have one account, | but in a business users are on a lot of platforms. The pin vs | password / windows hello stuff on windows is also sometimes | annoying / broken. | deathanatos wrote: | The problem here is MS's terrible MFA & "SSO" implementations. If | I didn't need to MFA multiple times per day into Azure1 (i.e., if | I could sign in truly _once_ per, say, 24 hours), and if MFA _was | just a literal MFA_ 2, the fatigue would not be so incredibly | high to begin with. Solutions like a Yubikey Nano are going to | seem like future tech to anyone that has to put up with MS | Authenticator. | | All of the articles suggestions just seem to make more work for | the alright overburdened user. Fixing the fatigue at its root is | what is needed. (But the article is oddly targeting | administrators, for whom such a fix is impossible, not ... MS | themselves.) | | 1different Azure tenants, despite being tied sort of to the same | user, require separate MFA/auth sequences. In a separate AAD | tenant, my user is technically separate, but also technically | not; best I understand it is that it is sort of like a shadow | user ("guest", in AAD) to my real user. AAD knows they're | connected ... but not well enough to matter for MFA. | | 2MS Auth requires a double PIN entry on the phone in order to | respond to an MFA. It used to be you could just tap the | notification, but at some point, that got axed, and the fatigue | went up like 3x. MFA is supposed to be proof of possession (I | have the phone), not proof of knowledge (password, pin). An non- | pin-protected notification is fine; the password still covers the | "what you know". | amoshi wrote: | >It used to be you could just tap the notification, but at some | point, that got axed, and the fatigue went up like 3x. | | Must be your tenant settings or something, my phone just gets a | single Allow/Disallow notification that takes a fraction of a | second to tap. Surprisingly though, I can tap it from the | lockscreen too, without unlocking the phone. | jeromegv wrote: | You could disable this setting on iOS to force unlock to see | the notifications. | blakes wrote: | Sounds to me that MFA is not setup correctly for you or the | Azure tenants you are logging into. | kiwijamo wrote: | What the parent describes is exactly how it works for my | employer's O365 system. I get MFA requests on a regular basis | even on known devices. Ticking the 'dont ask again' option | has no effect. Meanwhile Google on the same devices nags me | once a week at the most. | bastardoperator wrote: | Same, I get a request from the authenticator app, login in | via facetime and click a dialog that asks me to authorize | (yes/no). I don't love it, but it's pretty simple. | teeray wrote: | It's irritating that the "something you have" for most things | can't be "a laptop with a TPM." It's functionally equivalent to | phone-based MFA. | | The only improvement would be some screen + touch approval | (like the touchbar had for privilege elevation). That would at | least leave a human in the MFA loop in the event of machine | compromise. | deathanatos wrote: | To add to what jsnell said, the Yubikey requires a tap. A | physical interaction from someone sitting at a laptop, which | is something a trojan cannot accomplish, and a tiny barrier | from the human that doesn't materially contribute to fatigue. | | Now, I don't really know how much of a difference it makes | for trojans, since presumably the resulting token/cookie/etc. | could just be compromised in place. One might hope is scoped | or at least of a more limited lifetime, I suppose. | | (Compromise by trojan is one of those "all roads seem to end | in pwned" events to me.) | | I will note that it at least requires some authentication to | happen prior to compromise, so if some IDS is blaring off | alarm bells, all hope might not be lost if the device can be | cut off fast enough. | | (The point here, though, vs. MS Authenticator, is that | Authenticator adds nothing but massive amounts of friction | over the supposed Yubikey state of affairs. Edit: although, | see another of my comments: apparently MS Authenticator's | behavior is configurable -- for uh, some reason --_so I've | switched it to "less annoying" mode. So, I'll forgive MS a | touch, but AIUI it's the default to fatigue the user...) | jsnell wrote: | Not quite equivalent. When an attacker compromises your | laptop, they'll get all of the factors in one go: steal all | your bearer tokens, steal your password with a key logger, | and operate the TPM remotely. | alisonkisk wrote: | vorpalhex wrote: | They would have to break your hard drive encryption AND | have the laptop itself. | | Doable by a nation state? Sure. By Bob the mugger? No. | | That is fine for 98% of users. | littlecranky67 wrote: | Isn't the idea that you cannot compromise the TPM remotely? | At least Apples SecureEnclave require physical access and | the fingerprint. | jsnell wrote: | You cannot compromise the TPM remotely (e.g. read the | keys stored in it, decrement increment-only counters), | but most of the point of a TPM is that programs can call | an interface and have the TPM perform operations using | those keys. If someone compromises the machine enough to | be able to run arbitrary code, they can issue those TPM | operations just the same as the legit software. | | What you describe is somewhat related, in that one can | use a combination of a TPM + some kind of a biometric | sensor to build a system like TouchID or Windows Hello, | and that combination would not be remotely operable. But | if e.g. your mTLS client cert is stored in the TPM, you | certainly would not expect to swipe a fingerprint reader | on every connection that the browser establishes to the | mTLS domains. | lima wrote: | Yep. Azure is just awful. | | With Google SSO, I log in and do MFA once per year or so on | trusted devices and any further prompt beyond that would be | _extremely suspicious_. With Azure, I have to complete the | sequence like a hundred times per day. | TuringNYC wrote: | Forget Azure. Even Outlook/Teams flips apps between | Teams/MSAuthenticator over and over. My iPhone goes into | strange loops. Sometimes, its logged-out but doesnt show it | and just doesnt update anything. Its nuts how vast the chasm | is between Azure/Outlook/Teams vs AWS/Google. | sebazzz wrote: | > Solutions like a Yubikey Nano are going to seem like future | tech to anyone that has to put up with MS Authenticator. | | Except Microsoft requires you to protect your Yubikey with a | pin-code (even the consumer accounts), instantly making it | unusable for your iOS device if you use it via NFC. | nightski wrote: | The funny thing is on Windows once you set up your Yubikey in | Windows Hello it doesn't even matter. You are still forced to | use the PIN and at that point why bother with the key. | | I'd much rather skip the pin and just use Yubikey lol. | jokethrowaway wrote: | All European / UK banks I've tried are just as bad as azure as | of lately. Thanks SCA, I guess. | | What's the purpose of authenticating me 8 times in the span on | 10m. | | Open banking api that allow you to add accounts from other | banks were promising but they turned out to be half baked | versions, so in practice I still have n bank apps ok my phone. | Not to mention I could not do online banking without my phone. | | I've been seriously considering automating all of that and just | have an application with a master password which access | encrypted multiple banks secrets and authenticate / perform | local mfa as required and let me have the banking experience | (for a single bank) of, say, 10 years ago. | | All of this for what? If someone hacks my account and steal my | money I hope the bank mafia would be able to sort out things | with the target bank and hallucinate a balance without the | theft (especially because they flag tons of payments as | fraudulent, requiring me to call them). | judge2020 wrote: | > double PIN entry | | Are you talking about 'settings->app lock'? This setting | assumes you have Touch ID or Face ID set up; either the iOS API | prompts for your PIN if you don't have those two, or Microsoft | Authenticator falls back to asking for it. | | https://developer.apple.com/documentation/localauthenticatio... | deathanatos wrote: | Well, I'm on Android, so that wouldn't apply, at least not | directly. I've never investigated biometrics. I still don't | think they're necessary here. | | Tapping the notification, nowadays, requires unlocking the | screen. That's PIN entry #1. Then, MS Authenticator itself | requires you to enter your lockscreen PIN, for #2. | | (Some time ago -- months? years? -- it used to be you could | acknowledge the MFA request from the lock screen.) | | Edit: OMG it's a _setting!_ I 've disabled this nonsense. I | swear I looked when it was first introduced, but IDK. MS & | defaults. I love Cunningham's Law sometimes, this is going to | make MS Auth somewhat less annoying. | mrweasel wrote: | The new version of the Danish national authentication system had | to disable push notification for the same reason. Attackers would | just hammer a person with push notification until the user | accidentally authorized a login. | | I gave up on the Microsoft authenticator and just switched to | manually enter tokens from an TOTP app. The push/popup thingy was | a nice idea, but it's annoying to use day to day. | joenathanone wrote: | Or they change just gate the notifications/MFA requests server | side, limit the number of request and set an increasing delay | between request. | dane-pgp wrote: | So if an attacker had access to 2 million IP addresses[0] and | they were attacking a country where maybe less than 5 million | people[1] have an account on the national authentication | system, how easy would it be for them to DDoS the system for | a week? | | Presumably the attackers would choose the week when people | were supposed to fill in their tax forms, or (if the country | was foolish enough to allow online voting) the week of an | election. | | [0] https://www.bbc.co.uk/news/technology-11531657 | | [1] https://www.worldometers.info/world-population/denmark- | popul... | autoexec wrote: | > I gave up on the Microsoft authenticator and just switched to | manually enter tokens from an TOTP app. | | My office considered Microsoft authenticator, but there was | push back after looking at their privacy policy and how much | access the app wanted on people's personal devices (location, | storage, contacts, etc). The nice thing about a little TOTP | hardware token is that you avoid the push notification problem | and it doesn't collect massive amounts of your data to use | against you or sell to 3rd parties. | judge2020 wrote: | Which one in particular? These are quite bog-standard Android | permissions. https://i.judge.sh/QjsR4/m_GdOf1iig.png | autoexec wrote: | Even that wants your GPS location (why?), camera (and | therefore microphone) access, and storage access. Those | kinds of permissions have been 'normalized' sure, but | they're also 100% unnecessary considering the job is done | just as well (or better as it's without security issues | like the one in the article) with a tiny hardware token | that requires literally none of those things and couldn't | do them if it wanted to. | | If you aren't currently handing your location data over to | Microsoft 24/7 right now, why should you start? | judge2020 wrote: | In particular: | | GPS is for the audit log. I can go into my AAD security | center (security.microsoft.com) and view a history of | logins in my org that include IP address and approx | location. | | Camera: QR code enrollment | https://support.microsoft.com/en-us/account-billing/add- | your... | | Storage is likely for backing up or temporary files, but | i'm not sure. | autoexec wrote: | > GPS is for the audit log. I can go into my AAD security | center (security.microsoft.com) and view a history of | logins in my org that include IP address and approx | location. | | You can already get a rough idea of location using just | the IP address. Surely enough to know if your user logged | in from the same country/state/ISP as usual. Is that | really a situation where you need pin point location | accuracy? Do you really need to know which room of their | house they were in? | | Whatever fringe feature is used to justify the access | it's not required for authentication and there's nothing | to enforce that those are the only situations in which | Microsoft will use the access you've given them. | Microsoft and Google are in the data collection/ad | pushing business and I can't blame folks for wanting to | limit the amount of data they leak to those parties. | slaymaker1907 wrote: | It wants your GPS location for the same reason banks look | at your location. Even if they still let an auth request | go through, they can alert you through email if a request | is approved from an unexpected location. Camera | permission is necessary for QR codes so you can setup the | authenticator. No idea what the mic permission is about | though. | autoexec wrote: | Your IP should provide them (and your bank) enough | location info to alert you if your account is accessed | from another state/country. QR codes weren't needed to | set up the hardware token, so that feels like a feature | created to justify the increased access (also phones come | with their own camera apps capable of reading a QR code | or at the very least photographing one). The mic access | is a side effect of android's leaky permission system | which hands out the ability to record audio to any app | that wants access to your camera. | Spooky23 wrote: | The old solutions are best IMO. Challenge/response where | there's a knowledge element. | | TOTP is too easy to share or steal, especially for targeted or | familiar person attacks. I've encountered fraud scenarios where | soon to be ex-spouses accessed an account via a iPad with authy | to get at someone. | | Fundamentally, it's too easy to think you have MFA, but you're | actually secured with a shared, no-factor-auth iPad. (People | share work credentials in 1Password for convenience) Mitigation | of password spray is cool, but not secure. | Ansil849 wrote: | > TOTP is too easy to share or steal, especially for targeted | or familiar person attacks. I've encountered fraud scenarios | where soon to be ex-spouses accessed an account via a iPad | with authy to get at someone. | | If your threat model is 'person in proximity of other person | being able to access the second factor' then no method of 2FA | is safe. Even if you use U2F, the "soon to be ex-spouses" can | easily take the dongle from their spouse's keychain, in fact | even easier than they could get their OTP codes. | tialaramex wrote: | > Even if you use U2F, the "soon to be ex-spouses" can | easily take the dongle from their spouse's keychain | | _Stealing_ the physical object is quite a step up from | merely using something you have access to that was never | de-authorised. | | And if you steal say, my Security Key 2 from Yubico, it | still needs its PIN. Worse the _phone_ I use to | authenticate on mobile sites requires my fingerprint, which | while far from _impossible_ to fake is definitely another | step beyond "I just assumed I was allowed" and now you've | also stolen my phone, how long do you think you have before | I notice? | Ansil849 wrote: | I'm not sure what contrived scenarios you're envisioning, | but if the threat model is, once again, 'person in | proximity', they don't have to "steal" anything, they can | simply use it, e.g. authenticate with the key while | you're in the shower. And if in your model they | presumably already know your password, it stands to | reason they also know your PIN. | Spooky23 wrote: | Proximity of what? | | With a hardware token, it's very clear that the token is | in the physical possession of the user or not. It can | only be in one place at a time. With a challenge/response | or PIN, you mitigate the risk of the user losing | possession. | | With a TOTP token, if a user puts Authy or 1Password on | the family iPad so their kid has access to MFA for the | PlayStation, he has also provided the kid or other | household member/visitor with access to the token. The | token is wherever Authy is. | | The point is TOTP shares all of the risks associated with | things like SSH private keys. It has value, but is | inferior to many other types of token. | Ansil849 wrote: | > With a TOTP token, if a user puts Authy or 1Password on | the family iPad so their kid has access to MFA for the | PlayStation | | My little one plays with my keychain, which has my U2F | keys on it, all the time. She likes the light the BLE U2F | fob has. | | I don't see the distinction you're making between TOTP | and U2F if your threat model is 'someone in your house', | the two are virtually indistinguishable in such a | scenario - in fact, the U2F is _less_ secure. Your "soon | to be ex-spouse" can easily use your hardware token while | you're in the shower, as I said above. | [deleted] | shinryudbz wrote: | I've been running into a similar-ish problem which involves | someone creating a bunch of gmail accounts and linking my account | to it. Whenever that happens, Google sends me an email notifying | me with an option to remove the linking. However, since I never | initiated that action to begin with, I start worrying that the | email could be a phishing attempt, so I don't click any of the | links. But as a result, I start getting email notifications | whenever someone logs to those accounts from random countries on | random phones. | | Lately they've started creating Facebook accounts with my email. | Despite me not verifying the email, Facebook continues to send me | login notifications. | | Has this happened to anyone? I don't quite understand the attack | vector, but my guess is that they're trying to bomb me with | notifications and if/when they start realizing that I'm clicking | on the links in the notification emails, they can start sending | out phishing emails with malicious URLs. | nerdponx wrote: | Is it possible that it's just someone using your email address | for bot accounts? | shinryudbz wrote: | It's def possible, but even if that were the case, I'd still | be nervous about clicking on the email links. Given the lack | of tools for dealing with this issue, I'll assume | Google/Facebook haven't seen this problem in a large enough | scale yet. | [deleted] | mvellandi wrote: | I thought at first it was targeting MFA students (Master of Fine | Arts, Creative Writing) using Office365, maybe ransomwaring their | stories and poems. Who could be so cruel?! :) | DrBoring wrote: | What a fun term "MFA fatigue". | | One day I counted the number of times I needed to authenticate in | order connect to my client's web server. The count was 8. | | 1 Unlock my PC 2 Login to client corp VPN 3 Unlock my phone 4 | Enter PIN to MFA app to confirm login to VPN 5 Login to client | corps' credentials generation app. 6 Unlock my phone again | (screen lock has timed out by now) 7 Enter PIN to MFA app to | confirm login to credentials generation app. 8 Login to client's | server. | | It reminds me of the "8 different bosses" scene from the film | _Office Space_. | postalrat wrote: | Why is webauthn being adopted so slowly? Why do we have passwords | at all? Why doesn't the US government calculate how much taxes | each person owes and send them a bill/check and let them dispute | it? | Nextgrid wrote: | > Why is webauthn being adopted so slowly? Why do we have | passwords at all? | | Microsoft's WebAuthn implementation was completely unusable in | Safari until a few months ago for me and would just fail at | enrollment with a useless, generic error - not sure who is to | blame but the point is that it's much more complex than | passwords which are merely a text-based secret that only | requires a text input field. | | > Why doesn't the US government calculate how much taxes each | person owes and send them a bill/check and let them dispute it? | | That's a political problem, but frankly not too far off from | the 2FA situation at hand where every company insists on using | their own, non-interoperable, often shitty authenticator (a | comment above raises an issue with the various not- | functionally-necessary permissions that the Microsoft | Authenticator app requires on Android) instead of adhering to | an open standard such as TOTP (yes it has issues, but the world | would still be much better off if we _at least_ converged on | that). | tempfs wrote: | My favorite fuckup is when the MS Authenticator itself tells me | that it needs me to use MS Authenticator to verify who I am, so | it sends a code to itself. | | You can't make this shit up. ___________________________________________________________________ (page generated 2022-02-16 23:00 UTC)