Before this new wave of SMS trash, we just had TOTP codes that 1password could auto fill for me on any device in any location. Now i need to pull out my phone constantly and pay for international roaming or setup SMS forwarding to travel even if I don't need the number. Yay security!
If the argument is that phone number can always be recovered from real world identity, link the damn authenticator app to SMS instead of having to hand out your phone number to every company in the world.
The problem is that your authenticator app doesn't give them access to a relatively stable, cross-site/app/etc identifier that they can sell for advertising peanuts.
Also average Muppet consumer can't manage it
Not true. If we make Yubi keys cheap enough (below $5) then everyone would want them. Everyone is already carrying around keys, they won’t mind 1 more key. Why can’t we make yubi keys cheaper?
Pocket space is finite. There's no way I'm carrying a yubikey unless I can jam it in my laptop USB port (defeating the purpose of it) and forget about it.
A Yubikey used in that way is still more efficient and secure than every other option.
Someone would need to physically take your laptop, unlock it, and get your account passwords before they could use your yubikey to login to accounts.
Then why not just store the encrypted credential on the device itself?
Would that be what passkeys would be?
A couple of other people answered you already in a lot of detail, so I don’t have much to add there.
But I do recognize that really is a legitimate question and it feels like Yubi would benefit from running more outreach / promotion programs with schools and companies. I never felt like I could justify spending $50 just to try it out(especially when it doesn’t have support in a lot of sites), but then they partnered with Cloudflare to sell up to 5 per person at $10 each. It was a no-brainer to try it at that price and I haven’t looked back
Passkeys is like embedded Yubikeys, or, Yubikeys are like external passkeys.
The point of passkeys that the key is kept inside a separate secure computer running secure blobs, so user codes can't touch it. That sounds sketchy but contactless payments using similar embedded secure computer has been fine so this should be too.
Theft: A $2000 laptop is an easy target for anyone with sticky fingers, and so is a $1000 smartphone. A Yubikey has essentially zero resale value, so you will not lose them due to random theft.
Durability: If you drop your smartphone, there's a pretty good chance you'll shatter the screen and buy a new one. You can play tennis with a Yubikey and it'll be fine. You can run it through the washing machine and it'll be fine.
Longevity: Laptops and smartphones generally only have a 3-5 year lifespan due to battery degradation, and many people will want to swap it for one with more storage or whatever anyways. A Yubikey will essentially last forever, and if you stay clear of the insanity that is Passkeys its Webauthn element can support an infinite number of websites.
Portability: I have a smartphone, a work laptop, a home laptop, and a home desktop. My Yubikey has USB and NFC, so it can trivially be used with all of them. Individually enrolling each device would be a nightmare, and having the credentials sync is a bad idea from a security perspective.
Security: If your device gets compromised, it's pretty much game over: the attacker can now log in to all your accounts, any time they want. With a Yubikey I have to physically insert it and tap the button for each login - which is relatively rare because active sessions don't tend to expire. This means I would have to actively participate in a mass compromise of my accounts, making it way more likely to be noticed.
That wouldn't defeat the purpose of it.
It has nothing to do with cost.
Using a yubikey says, specifically, that if I lose this little device and the bypass codes, that I have presumably stored on encrypted storage in a way that doesn't require the yubikey to access, then I want it to either be impossible or exceedingly difficult to recover access to this account.
Very few people actually want that, and if yubikeys become widespread, there will be a wave of people having tantrums because their yubikey is lost and the account is unrecoverable.
If it isn't extremely difficult to recover an account in the absence of a yubikey and the loss of the bypass codes generated on enrollment, then there's no point to them.
I've run a b2c website. There is a shocking percent of internet users -- I'd estimate 20% -- that cannot reliably tell you their email address (5% that literally can't, and another 15 that can't reliably). Those users having yubikeys would be an utter disaster.
It's absolutely a problem with cost, though a little bit with UX. If YubiKeys cost $5, it would be reasonable to have 3 of them, and you keep on your keychain, one at home, and one somewhere else. The UX problem is that you would want a way to enroll a YubiKey that you don't physically possess, but that is a solvable problem.
The bigger problem is that a large number of sites don't implement MFA properly, and don't allow you to enroll multiple MFA devices. This really could only be fixed with regulation that clearly defined MFA, so there would be consequences for improperly implementing it.
I promise you there is a significant percentage of people that would fumble enrollment; you handwaved away a giant problem (multiple enrollment, not present); and many people would put them all on the same keychain.
In the politest way possible, I question whether you've interacted with the modal user.
edit: I can try to dig up the article, but here's the precis: 5-ish years ago, google briefly changed their search results ranking. Lots of people were logging into facebook by searching facebook, instead of typing facebook.com, then following the top result. Some other site briefly was the top result when searching for google. That site got a wave of users submitting help requests because they couldn't log in with their facebook credentials, and accusations of subterfuge or wrongdoing because their accounts were deleted. I think it was pinterest, but I may not remember correctly. Either way, it looked nothing like facebook and didn't use blue.
That's what a significant fraction of internet users are like.
There is a shocking percent of internet users -- I'd estimate 20% -- that cannot reliably tell you their email address (5% that literally can't, and another 15 that can't reliably).
My email address is firstname.midddlename@<wellknownemailprovder>.com
I get a dozen emails a week from companies and government agencies trying to reach people with the same first + middle name combination from around the world. People seem to think they automatically get an email address with their name provisioned or something and they just sign up for accounts and services using that combo.
Truly bizarre how many large companies do not verify email addresses before setting up accounts.
No freaking way. I don't use YubiKeys not because they are expensive, but they are less convenient than other options.
There are some quite cheap fido2 keys ( https://www.token2.com/shop/product/token2-t2f2-fido2-and-u2... ). But WebAuthn / Passkeys can also be provided by your android or ios phone. Or TPM -chip on a laptop.
No I promise you they won't "want one".
RSA keypads were an example. Absolutely free. Hung on keychains. Work well in that it was "secure" and worked, but an absolute nightmare for the banks to manage. UX was equally terrible (sure Yubikey isn't that).
The only way to mass introduce it is require multiple key entites to push and collaborate like your bank + phone provider to push it out for free.
Yubi keys are a logistical nightmare for my parents. SMS is not. For my parents, sticking to something in the phone is good.
$5 is cheap where? Most internet companies are global and have little desire to cut off customers in developing countries, since that's a major area of growth.
$5 in the US is roughly equivalent to $20 in my country, when you adjust for purchasing power parity. We have over 70 million people who use Facebook and Youtube daily.
If rich Americans won't pay $20 for a Yubi key (and they are currently $25) why should we be expected to?
I have and use yubi keys; they are annoying to set up and use compared to sms. No one will want that outside a few geeks.
Also an identifier that is much harder to create bots/spam with, as phone numbers are harder to come by than email addresses.
Almost counterintuitively I deal with more spam SMS than I do email but that’s probably less a factor of actual volume and more a factor of the need and sophistication of filters for both services.
It’s likely also a function of the market / location / network incentives.
May own anecdote is that I almost never receive spam sms despite having nothing in place beyond whatever my service provider does.
Spam mails make it through two+ layers of filters (service provider + my own) more often than I get spam SMS, and I have to trawl the wasteland that is the spam box once in a while to ensure important mails have not been missclassified.
That's why my banks use their own apps as 2FA factors.
The own 2FA apps of my banks inevitably stop working at some point. They shut down immediately after launching them. Alternatively they stop reacting on tapping the "confirm" button. If I leave them unattended for few months, I'm almost certain they'll not work on next use.
Require a phone number for account creation and support TOTP. Win-win.
It’s a loss from the business’ perspective. They could support 2FA with SMS and check a box; to additionally support it with TOTP would only be additional cost -- albeit with the bonus of “doing it right”. Unfortunately, that’s an abstraction which a lot of businesses consider to be achieved when they can check the box.
Doesn’t using your password manager as TOTP code generator reduce the number of factors back to 1?
If the attacker is targeting your 1P, then yes.
If the attacker got a list of passwords from a leak and your password was on it, the 2nd factor provided by the TOTP will still save you.
So, it just depends on your threat vectors. I’d rather people I support keep unique passwords alongside TOTP in a manager they’ll actually use than skip or use SMS TOTP because of a vague concern about targeted hacking of their manager.
If you're already using a password manager with secure randomized passwords, you're not vulnerable to credential stuffing unless that specific service had a breach. I suppose TOTP may still protect against unsophisticated phishing, but only as long as the attacker doesn't phish a TOTP code at the same time and pass it straight along to the service.
Are there other threats that TOTP-in-password-manager can protect against that the randomized passwords don't already?
tbh the UX problem of 2fa for "I use random passwords and am not vulnerable to credential stuffing" users is a pretty big reason to stick TOTPs in your password manager.
Security is always a series of trade-offs, and 2fa brings some hideous trade-offs in many sites (well over half only allow one at a time, for example, and then you lose access permanently). TOTP with a standard like this lets you choose, rather than the site choosing for you.
Sites can't rely on password managers and will make TOTP mandatory, cf github.
Right, and if an attacker can dump password hashes they can likely dump TOTP seeds as well. With that level of database access the attacker may be able to steal all your info from the impacted service, so talking about the password may even be a distraction since all your data is already stolen.
Some password managers do offer the option of challenge-response from a hardware key, but technically speaking the password manager vault file can be considered "something you have" so long as you store it securely, like your SSH private key.
Yes, it's something you have, but it's not a second factor if you're storing your (randomized) password in the same place. If you do that it's just two redundant checks that you have access to the same single password manager vault.
Well in the context of mobile login so is TOTP, push based microsoft auth and other kind of mobile based shit.
I don't know anyone who buy a second smartphoe to make it sure 2FA is on a separate device.
I'd have to disagree.
The problem is that the vault file can be copied, which means this is now "something you and your attacker have". Even worse, it's not just the (probably encrypted) vault file: if your computer ever gets compromised, it is trivial to wait until you unlock the vault, at which point they can extract the now-plaintext TOTP secrets.
The way I understand it, the "something you have" factor is something which is intrinsically only a single item: either you have it, or you do not. If it can be copied, one of the copies could be compromised without you noticing - and because it's a copy you wouldn't even be able to revoke it without changing your own token too.
If that happens, nothing will save you. The malware can just grab your session tokens whenever you log in, then do whatever it pleases.
In practice the only widespread attack that either TOTP or SMS authentication help with is credential stuffing, and if you use a password manager to use unique passwords on each site you're not susceptible to credential stuffing to begin with.
Both provide some protection against phishing sites, where the phisher needs to maintain their access.
Wouldn't you still need the password database, plus the password or whatever used to open that database? The two factors are related though (a good keylogger should be able to get both).
Multi-factor isn't an end to itself, one strong factor is fine for most things. If your pw manager is good enough to not get tricked by phising, that's already better than most manually used MFA.
You could always use a different password manager or different buckets. Both the apps I use (one for TOTP and one for passwords) can do both lol.
I use my Google Voice number for everything because I can't trust I will have the same number if I change carriers (I have found the porting numbers between MVNOs can be hit and miss) and because I sometimes travel internationaly. Now, stupid companies are demanding a phone number, and blocking Google Voice from being used...
You can trust google they will let you use forever and won't block your account anytime without warning though.
I only use SMS based auth for services that demand it, and I find alternative services if they are really critical. All though lately, more services are forcing it without any advanced warning...
Don't worry, soon Google Voice will be abandoned by tehGoog.
(Perhaps this is just dread since I use it for the same purpose)
I understand the feeling! I would love to find an alternative, but I haven't yet. I only use Google Voice for services that demand it, and I try to find alternative services when possible. I never use SMS auth for anything truly critical.
Amusingly I believe Google voice needs a valid phone number to sign up for Google voice.
They may re quire a phone number now... but I am not so much worried about using my temporary carrier number to sign up, because Google doesn't force me to login with SMS (I now use Google's Passkey support, with two passkeys- my phone, and my Bitwarden account).
Google Voice (the free service) has its own pitfalls, which I believe make it a very poor choice to use for online accounts. I’m speaking from personal experience. If you happen to not use it for a little while, Google Voice will send an email with minimal notice (with Murphy’s Law, this will be during a vacation break) that the number will be deactivated. Once that happens, you cannot reclaim that Google Voice number using the same linked phone number. You have to get a new phone number that has never ever been used with Google Voice and then try to link it. Even then, Google Voice will send the OTP and make it seem as if the linking worked but will show as unlinked (and the Google Voice number unavailable) after just a minute or two. You’ll have to retry with another number over and over again until you start banging your head against the wall. After maybe a few weeks or several weeks, that Google Voice number will not even show up for reclamation.
Google Voice is a total mess, and as a “free” consumer service that Google has shown little interest in maintaining and supporting, you don’t get any kind of support or help whatsoever.
My sincere advice (if you’re a free Voice user) would be to delink your Google Voice number from all critical services. Get a real phone number for which you have the ability to get customer support.
Yes, I am aware of these pitfalls. I only use SMS based auth for things that demand it, and if it is a thing that is truly critical, I find an alternative that doesn't demand it. At the very least, I ensure that I have a way of physically showing up and getting my account recovered in a worst case scenario.
Google Voice is probably my favorite Google service... I have looked at alternatives many times in the past and have never found anything that compares that isn't super expensive (and usually not as good). I really hope Google keeps it. But I am prepared to migrate if Google shuts it down (and I really hope they provide a seamless number porting experience if they ever do...).
Trusting Google for anything is a lot riskier than trusting a carrier once in many years.
Their own internal teams as well as game studios didn't know about Stadia's end until the day it happened, what makes you think they'll treat you better with an unpaid service?
Weird, all the carriers I used either have free international roaming (at least for receiving text), or have wifi calling which allows me to use my phone as if I'm on the home network anywhere with an internet connection.
Thank you for your anecdote. However your personal experience doesn't reflect everyone.
Many people don't have free international roaming, in fact mine only has roaming for US (I'm in Canada) and for zero roaming options available outside of North America.
Outside North America, receiving text messages is always free.
Receiving calls isn't necessarily free when roaming.
As a European, the idea of paying to receive a call or text is alien to me, but I understand it happens in the USA.
I'm pretty sure it's illegal for an EU network to charge for receiving a standard SMS or MMS - even while roaming.
I can therefore receive an SMS OTP in any country and won't pay a penny.
False
Mine doesn't!
And though the one I used before did, I usually have a cheaper local SIM in my phone for data use when I'm traveling, and I'm not swapping SIMs just to authenticate to some company that hates its customers.
I am occasionally out of the country for more than a month... I usually pause my phone plan because I don't want to pay for a service I am not using. Sometimes I even get a different number when I return and restart my plan. That is why I use Google Voice, because I can use it over wifi or a data only plan, and the number doesn't change. But now, some stupid companies are blocking Google Voice from being used.
In India your Sim card stops working if you do not recharge ebery month and after 2nd month, the number gets blocked, after 90 days the number gets canceled and recycled.
The going argument is, WhatsApp if your number gets unused for 90 days doesn't let you reset password or something so its all fine.
Then its a matter of submitting a written application with the bank to change your mobile number so its all fine
I recharge my airtel with Rs 1700 something, which gives me a 365 days validity, without need of any additional recharge (plus some GB data everyday).
that is.......... a lot to spend in one go
If you can afford a phone, you can afford 1700 for a year. If not, EMIs are a thing.
Thats what $20 a year, thats nothing.
A few countries in the area have such a short length unfortunately. I’m lucky to have my European SIM card that I can top up once every 12 months. And even if they deactivate it after 13 months, I can recover it within the successive 12 months if I remember correctly.
My favorite is it's often paired with "passwordless" trash lol.
Why can't I just give my whole fucking credential out in 1 action. What's this nonsense where I have to enter my username, THEN wait for the page to load, THEN click "send verification email" or "send code", then half the time they want to SMS me and have me enter another code lmao.
I use 1password with Fastmail integration to create unique email addresses for each login. This new “sipping from thimbles” approach to authentication breaks that because iOS and/or 1pass don’t recognise it as a login until the password screen, so I’m swapping and searching and copying and pasting just to log in. I viscerally hate that sort of user hostile design of the auth/login.
I can’t speak to all of them, but many sites that require (only) a username first have enterprise SSO integrations.
The enterprise buying the service (understandably) doesn’t want its employees to type in both username and password on a 3rd party site, especially since the SSO process will handle auth after the username is entered.
I know of one site with both username and password on the first page, and has enterprise SSO. Login will automatically fail if you enter anything in the password field when logging in with an SSO-enabled username. But that doesn’t stop copy-pasted credentials from being transmitted to their server, which is something enterprise customers want to avoid
And don't forget to solve 10-stage captcha before eveey page load!
Before this new wave of SMS trash, we just had TOTP codes
SMS 2FA predates cell phones. First SMS 2FA was AT&T in 1996 using pagers.
The first draft of the RFC for TOTP was written in 2008. Google Authenticator came out in 2010.
And TOTP predates “this new wave of SMS trash”, when every service actually started using it.
Eh, that’s a bit pedantic.
I knew someone who worked for a bank in the late 80’s - early 90’s, and I distinctly remember them having a little keychain dongle that generated one-time codes every (30? 60?) seconds for secure remote login.
The product may have been an RSA SecurID, or something else. Branding aside, it’s the same concept as modern TOTP. The main novelty of the TOTP RFC was standardizing the setup / secret sharing process and algo.
I agree with most of what you say, however:
I don't remember ever having to pay to receive SMS abroad. Is that a common feature with the plans where you live? (I mostly have experience with pre-paid plans from Asia, Australia and Europe.)
Americans screwed up mobile phones since the beginning: they pay on both ends, to receive and to make calls and sms.
Inuse a simple APK which makes http post request on very incoming SMS.
That post request is processed by my own Google apps Script to send it to my own telegram bot.
When I travel where my phone will not work in that country, my wifi connected devices get OTP right away, in about 5 seconds.