Two factor auth was always a scam.
Why is two factor better? Because then if one of your devices gets compromised, the other does not.
Why does the first compromised device not have remote access to your second device?
Because thatâs not possible; the second device will be a newer one where only the manufacturer has low level access, and only the manufacturer decides when to do updates or remotely execute stuff.
As soon as you take back your phone, and are able to ssh into your phone from your primary factor and get your 2-factor unlock code from command line, then when your primary factor is compromised itâs back to only a game of security through obscurity â relying on your adversary not to happen upon the idea that they should SSH to the phone.
Security through obscurity is not real security. Cryptography is real, as is the lack thereof.
Sometimes security through obscurity works early on. Itâs possible that two-factor auth worked well initially. But with security through obscurity, once your adversar(ies) catch on, the gig is up.
And two-factor auth is extremely mainstream now.
But what are we going to do instead? Android and iOS would love to convince everyone SIM cards are unsafe. Once everyone believes SIM cards are unsafe, they will turn to eSIMs. Pushing everyone onto eSIMs will remove the aspect of phones where the human was able to remove their SIM and put it in a different device, because now the device or operating system manufacturer will control the software for the file system access and the eSIM access and they will be the arbiters of whether you can remove your SIM card and place it in a different device like a Librem 5 to try to escape. And they will say NO, Iâm sure.
That is going too far, and in particular there are many assumptions in such a claim.
2FA as implemented by text message to phone certainly has weaknesses (as discussed in part in the blog article) but that is only one possible implementation of 2FA.
If we limit ourselves to
- first factor is a password being used on a desktop/laptop, and
- second factor is something that comes from your phone
then one thing is certain: if both devices are compromised then 2FA hasnât in practice gained you anything. However in theory it has forced the attacker to compromise a second device i.e. it has raised the bar - and that is a good thing.
Let me illustrate the other end of the spectrum. First factor is as above, but second factor is an RSA key (which device is not on the network at all, never will be, never can be, has no connector port at all, and hence there are likely no remote compromises at all, and if well designed it will be difficult to compromise even if local to or in possession of the device). Thatâs not a scam. Thatâs solid.
At the end of the day, it is about being realistic about all the possible attack vectors, and then further being realistic about which ones you want to and can defend, and to what extent.
Both of those are assumptions.
- It is your choice to enable the SSH server on your phone. You donât have to. It isnât enabled by default. Itâs a trade-off.
- Even if you do enable the SSH server on the phone, the security architecture on the phone determines whether codes are accessible to the account that you SSHed into. You control which accounts can be SSHed into (and you should do that if you choose to enable the SSH server permanently). It may well be the case that you can SSH in and grab a code but it doesnât need to be the case. (For example, it has several times been stressed in posts in this forum that you shouldnât really add rando users to the
dialoutgroup on your phone - because if you do then rando users can directly interface with the cellular modem and a sophisticated attacker can probably grab codes directly off the modem.)
So, yes, when you take back your phone, you also take on a certain amount of responsibility for how you set things up on the phone.
Text message to phone is inherently weak as a second factor because it actually gets away from what the second factor was supposed to be. It was supposed to be that the first factor is âsomething you knowâ (i.e. a password) and the second factor is âsomething you haveâ (i.e. a device) but because it is a little too easy to redirect phone service (SIM swap), it isnât âsomething you haveâ at all.
Put another way, the text message isnât sent to the one specific phone that you have. It is sent to a phone number and that phone number could be somewhere else. Thatâs why non-proprietary TOTP apps are more solid and even proprietary apps are more solid than text messages.
Some adversaries have caught on to the idea that some users are silly enough to reveal codes publicly (i.e. to an unknown caller) and that limits the effectiveness even of some 2FA that is otherwise solid. The attack doesnât always need to be technological.
I would suppose that SIM swap attacks work just fine with eSIMs.
An eSIM is primarily favoured because it lubricates the fulfillment cycle. You can order a new phone service online at time t and within minutes your phoneâs eSIM contains the needed SIM information and your service is live. Compare that with having to produce and âprogramâ a physical SIM and then send it out via the postal system.
Iâm sick today, so Iâm going to go too far if I want to. Thereâs a lot of theoretical ways I think your points are entirely accurate and totally valid.
In practice, a lot of websites ask for phone number which in my opinion is to appease 3-letter agencies desire for a consistent identifier across websites, and then if you forget the âprimaryâ of the two factors they allow you to reset the account with the phone number anyway. It makes the purpose of the primary factor âpasswordâ totally bogus. I got hacked years ago by this â had been using a shared family plan for a phone, decided to live my own way, bought my own thing, handed the phone I previously used back to previous owner. Within a few months, unknown to me, they canceled that one of their group of family plan phone numbers.
The phone company turned around and immediately sold the same number to some other guy, who then started using it to log in to stuff as me that I didnât normally use and had forgotten about â because these sites so off use phone number as a total 1 factor blanket back door in the name of âsecurity.â
That doesnât mean anything you said is incorrect; itâs just how I feel about the empiric reality that has come back as a consequence of folks like you being entirely theoretically correct but then marketing and short-sighted people build systems that donât actually work like that at all.
There are a lot of arguments in favour of not giving a random web site your mobile phone number regardless of the specific use for receiving 2FA codes via SMS and/or for doing a password reset.