undefined | Better HN

0 pointsgeorgyo3y ago0 comments

The why is obvious.

People will lose their 2FA. It's a fact of life. Lost keys with your yubikey. Broken phone without a backup of your totp. Etc.

After that, how do you prove that someone owns their account?

Send a photocopy of your passport? No way to edit a picture, right?

Answer some security questions, which you certainly forgot the answer to. And people are likely using the same questions with the same answer on many sites.

Tell them tough luck?

The problem is there isn't a good answer for the most common failure mode. SMS 2FA isn't perfect, but it is accessible to nearly everyone and delegates ownership proof to the telephone company.

0 comments

foepys3y ago

In Germany there is a process called PostIdent by Deutsche Post. Any business can send you a QR code which you take to the local post office and a teller will verify your ID. The business is being notified next to instantly and you can proceed with whatever is needed.

It's a nice and smooth process.

Businesses could also use the German government ID, which has a chip with cryptography functionality built in.

sofixa3y ago

> Businesses could also use the German government ID, which has a chip with cryptography functionality built in.

Same goes for the whole EU, it's in the new ID card standard: https://en.wikipedia.org/wiki/National_identity_cards_in_the...

I hope we start seeing some neat use cases with them. Being able to cryptographically (and in some cases anonymously) prove one's unique identity online would be pretty cool.

cyberpunk3y ago

BankIdent is also quite smooth, a simple bank transfer to confirm your identity.

sjf3y ago

I have used both. During that time I've lost access to SMS due to my phone breaking (twice), I have lost permanent access to online banking because the bank will not accept an international number. I came extremely close to losing access to my entire Google account because I use Fi and you need to sign into Google to activate it on your phone, but you need to be able to receive SMS to sign in to Google.

Meanwhile, I have multiple yubikeys that are as hard to lose or break as a house key. Google is kind of the only site that supports hardware tokens, but you can add multiple to your account. I can't think of a single site that allows multiple phone numbers for SMS 2fa.

koolba3y ago

> I have multiple yubikeys that are as hard to lose or break as a house key.

Unfortunately, hard and easy are interchangeable in this sentence. And if you lose your house key you can always call a locksmith or just break a window to get inside.

Even if you don’t have identification on you, if the cops show up you can have your neighbors vouch for you (assuming the cops don’t already personally know you).

sjf3y ago

It's not the same though. You can never do the equivalent of locking your yubikey inside the house.

lamontcg3y ago

Yeah I've got enough yubikeys that I'm very unlikely to lose them all. The only thing that I'm vulnerable to right now is a house-burns-down kind of situation, and I'm considering storing a yubikey at someone else's house to get offsite backup.

herewulf3y ago

The solution is a government issued key pair. Probably on a Yubikey type of device. Replacing a lost one of those is then the same process as replacing a lost driver's license / passport / other government issued identification.

By 2023 it's high time for these forms of identification to catch up with the digital age. It's high time to end the joke of verifying identity by birthday, SSN, "in-security questions", and other easily leaked information. And obviously 2FA by SMS is not good either.

ridgered43y ago

I can't say the idea of a verifiable government id being demanded by every social media or other sign up sounds that thrilling to me. It'll just be facebook demanding a scan of your driver's license in a different form. The SMS verification step where you phone number is demanded "only for security" (and then used for advertising 10 minutes later) is bad enough, but at least it is still possible (if onerous) to get some some separation there.

I'd honestly just prefer TOTP or hardware tokens be mandated as an option for 2FA if you offer it.

arcticbull3y ago

I think Estonia started doing this like 20 years ago. [1]

[1] https://e-estonia.com/solutions/e-identity/id-card/

fsh3y ago

The German national ID contains an NFC smartcard since 2010. Unfortunately, adoption has been quite slow. Many companies still use some wonky video based authentication procedure. I guess they believe that installing a separate app is too hard for many users, and filming the ID is easier.

nytesky3y ago

We should just have state issues licenses with chips. At the bank I show my license; on bank website it reads the chip and pin off my license.

m4rtink3y ago

Not to mention most of the "replacements" are often service specific authenticator apps of dubious quality that might even refuse to run on your device for various reasons.

In comparison SMS works the same for all services - its an easy choice.

debarshri3y ago

Recently, Instagram asked to verify an account I have been using for past 2 year. Spent over $100 on ads.

I felt stupid and embarassed taking my own selfie with a piece of paper with a number written on it. But then I would have lost my account, had to do it.

GravityisaHoax3y ago

Venmo requested the something similar from me a few years ago for an account with 0 activity. Except they wanted a passport or driver's license with a selfie. This was an account without any bank account or cards attached to it. I hadn't used it to pay or receive any money. But it wasn't a new account. I had for like 3 years and just never used it like I thought I would need to.

I understand needing to verify the identity of people transferring large amounts of money, but it was a ridiculous ask for someone who just wanted it to send a friend 10 bucks for lunch. I just used another app, and my identity is still frozen in Venmo to this day. The silver lining is that no one can open an account with my information to circumvent the freeze, so I'm safe in that respect on Venmo.

2Gkashmiri3y ago

i used to use linkedin from a different location from my current one. i didn't think about this but when i tried to log in from my present location, it said something bullshit about "security" and now i am forced to upload my passport for verification and they pinky promise to delete the photo after verification. no fucking way

hellotomyrars3y ago

Facebook decided they wanted my drivers license to verify my account that I wanted to log in to to pull some very old pictures off of it and never think about it ever again.

You have to use the camera on a device, you can’t upload an image file (which just makes things more obnoxious, not any more secure) They tell you they’ll keep the photo stored for a year to better improve their process or whatever other bullshit. You can opt to have them only store it for one month (how nice of them) but when you do that I totally resets the flow of everything so you have to do everything all over again and it makes it seem like you’re stuck in an endless loop of doing that so you’ll just let them keep it for a year.

I caved and did it. There was no time to verify. I was just able to login.

So no, they didn’t need it for any actual verification or security reason. They just wanted the data. It’s almost funny how naked it was.

yencabulator3y ago

Well, banks seem pretty happy with the safety of USPS for sending cards, so how about sending the person a letter with a one-time code?

The multi-day delay even sounds like a good idea, in case someone triggers that system with the intent to steal mail -- it gives the still-able-to-login real user time to veto it.

(If you want a level of anonymity, you can rent a PO box, use a commercial mail handling agent, register c/o a lawyer, etc.)

gleenn3y ago

Solution is multiple yubikeys or printing out backup codes.

nirvdrum3y ago

How are you handling multiple Yubikeys? I'm doing it personally and it's so annoying that I can't imagine recommending this to anyone else. Since I'd hate to lose access to everything if my house burns down, I keep a key outside of the home. Of course, for that key to be useful, I need to update it whenever I use my key on a new site/service. Dropping everything to go fetch my key is inconvenient, so I keep multiple keys in the house. That way I can add two keys to a service and have a local backup in case one breaks. But, then I need to remember to actually add the off-site key to the account as well.

Maybe I should just round-robin the off-site key. It's just tedious to keep track of what's been registered with which key and making sure they're all in sync. I really wish there were a secure way to simply have a key backup.

Not to mention, this is kind of expensive and also non-obvious as Yubikey primarily sells single keys. I'd love to see wider adoption, but can't see the general population putting up with this.

avh023y ago

This has been what stops me from going full webauthn, instead right now I use 3 yubikeys with pass (password store) and encrypt with 3 separate gpg keys (one private key stored on each yubikey), I haven't touched one of the yubikeys in a year but I know that if I lose the other two it can still decrypt my passwords.

The disadvantage here is obviously it's just another password manager instead of taking full advantage of hardware tokens, but I want to be able to enroll passwords or tokens without the key present all the time. (Also, yubikeys have limited slots for keys)

zikduruqe3y ago

> this is kind of expensive and also non-obvious as Yubikey primarily sells single keys

Unless you need the GnuPG or SSH applets, I just use the $14 FIDO keys from Identiv. They are also NFC capable for my mobile devices also. I keep one at my office, one at home and carry one in my pack.

I too wish there were a way to keep them in sync or back them up.

Maybe a virtual FIDO key? https://github.com/bulwarkid/virtual-fido

wepple3y ago

Fireproof safe, and living in an area where the fire department would be able to get the fire under control fast enough that I would hopefully not need 1/10th of the capability of that safe.

Edit: also, if your house burns down, won’t you probably have your keys on you if you’re not home?

2 more replies

artdigital3y ago

I just have one in my drawer and one in my bag / always connected to my Mac

Then a printed backup sheets like 1password somewhere offsite (still needs master password to be usable)

microtheo3y ago

I use Windows hello and Apple passkey as secondary fido devices, isn’t that a valid method??

1 more reply

idontwantthis3y ago

The one time I had to use backup codes with Google they simply didn't work. Fortunately I was still logged on at my home comptuer.

j / k navigate · click thread line to collapse

0 comments

foepys3y ago

It's a nice and smooth process.

Businesses could also use the German government ID, which has a chip with cryptography functionality built in.

sofixa3y ago

> Businesses could also use the German government ID, which has a chip with cryptography functionality built in.

Same goes for the whole EU, it's in the new ID card standard: https://en.wikipedia.org/wiki/National_identity_cards_in_the...

I hope we start seeing some neat use cases with them. Being able to cryptographically (and in some cases anonymously) prove one's unique identity online would be pretty cool.

cyberpunk3y ago

BankIdent is also quite smooth, a simple bank transfer to confirm your identity.

sjf3y ago

koolba3y ago

> I have multiple yubikeys that are as hard to lose or break as a house key.

Unfortunately, hard and easy are interchangeable in this sentence. And if you lose your house key you can always call a locksmith or just break a window to get inside.

Even if you don’t have identification on you, if the cops show up you can have your neighbors vouch for you (assuming the cops don’t already personally know you).

sjf3y ago

It's not the same though. You can never do the equivalent of locking your yubikey inside the house.

lamontcg3y ago

herewulf3y ago

ridgered43y ago

I'd honestly just prefer TOTP or hardware tokens be mandated as an option for 2FA if you offer it.

arcticbull3y ago

I think Estonia started doing this like 20 years ago. [1]

[1] https://e-estonia.com/solutions/e-identity/id-card/

fsh3y ago

nytesky3y ago

We should just have state issues licenses with chips. At the bank I show my license; on bank website it reads the chip and pin off my license.

m4rtink3y ago

Not to mention most of the "replacements" are often service specific authenticator apps of dubious quality that might even refuse to run on your device for various reasons.

In comparison SMS works the same for all services - its an easy choice.

debarshri3y ago

Recently, Instagram asked to verify an account I have been using for past 2 year. Spent over $100 on ads.

I felt stupid and embarassed taking my own selfie with a piece of paper with a number written on it. But then I would have lost my account, had to do it.

GravityisaHoax3y ago

2Gkashmiri3y ago

hellotomyrars3y ago

Facebook decided they wanted my drivers license to verify my account that I wanted to log in to to pull some very old pictures off of it and never think about it ever again.

I caved and did it. There was no time to verify. I was just able to login.

So no, they didn’t need it for any actual verification or security reason. They just wanted the data. It’s almost funny how naked it was.

yencabulator3y ago

Well, banks seem pretty happy with the safety of USPS for sending cards, so how about sending the person a letter with a one-time code?

The multi-day delay even sounds like a good idea, in case someone triggers that system with the intent to steal mail -- it gives the still-able-to-login real user time to veto it.

(If you want a level of anonymity, you can rent a PO box, use a commercial mail handling agent, register c/o a lawyer, etc.)

gleenn3y ago

Solution is multiple yubikeys or printing out backup codes.

nirvdrum3y ago

Not to mention, this is kind of expensive and also non-obvious as Yubikey primarily sells single keys. I'd love to see wider adoption, but can't see the general population putting up with this.

avh023y ago

zikduruqe3y ago

> this is kind of expensive and also non-obvious as Yubikey primarily sells single keys

I too wish there were a way to keep them in sync or back them up.

Maybe a virtual FIDO key? https://github.com/bulwarkid/virtual-fido

wepple3y ago

Fireproof safe, and living in an area where the fire department would be able to get the fire under control fast enough that I would hopefully not need 1/10th of the capability of that safe.

Edit: also, if your house burns down, won’t you probably have your keys on you if you’re not home?

2 more replies

artdigital3y ago

I just have one in my drawer and one in my bag / always connected to my Mac

Then a printed backup sheets like 1password somewhere offsite (still needs master password to be usable)

microtheo3y ago

I use Windows hello and Apple passkey as secondary fido devices, isn’t that a valid method??

1 more reply

idontwantthis3y ago

The one time I had to use backup codes with Google they simply didn't work. Fortunately I was still logged on at my home comptuer.

j / k navigate · click thread line to collapse