undefined | Better HN

0 pointstptacek7y ago0 comments

If you don't know of the database compromise, the technical term for the steady state you are operating in is "owned". 2FA isn't doing anything for you.

0 comments

3 comments · 1 top-level

jjnoakes7y ago· 2 in thread

If you don't know of the database compromise (which could have been a backup or old dump, and not necessarily a live system breach), you may be "owned", but unless the TOTP seeds (or equivalent 2FA master keys) are in that db dump, 2FA most certainly is still doing something for you...

akerl_7y ago

This is bit tautological: yes, if part of your stack is specifically compromised at a point-in-time, other parts of your stack were not necessarily compromised.

But since your user auth flow needs access to the unencrypted TOTP seeds, and user info generally lives in a database, for the majority share of infrastructures a compromise of the DB will compromise all TOTP seeds.

jjnoakes7y ago

Since TOTP seeds are long-term shared-secrets which are all that is needed to complete 2FA, and rarely/never rotated unless someone knows they were compromised, even years-old database compromises (old backups, etc) means current TOTP 2FA is also probably compromised.

Which is not true of some other 2FA mechanisms (which is my point - I never thought about it before, but TOTP has a specific failure mechanism that not all 2FA mechanisms have). I still prefer TOTP to auth codes over SMS, but I wish there was something better (TOTP with seed rotation, auth codes over more secure channels, etc).

1 more reply

j / k navigate · click thread line to collapse