Google to auto-enroll 150 million user accounts into 2FA

[Sky-Knight]

Authy... screw that, Bitwarden or even better VaultWarden.

But these are things you can setup yourself, the default push is going to be smart phone based stuff.

Datto ditched Authy a few years back due to security issues by the way, I don't know if that was ever resolved... so beware.

 

[sapphirescales]

I too use authy but note that Google pushes its 2fa to ALL of your devices including desktop chrome

Yeah that's great, but I have 2FA on more than just Google accounts, and I don't sign into Google Chrome except on my main computer. Everyone needs a general 2FA app, and Authy is excellent since it works on every device you own. Tying your 2FA to a single device is moronic. If you ever lose the device or it dies, you're screwed. It's also inconvenient unless you have your smartphone in your pocket at all times, which I don't. I barely wear pants at home so I have no pockets. I remember early SMS based 2FA being forced on me and getting really p*ssed off because I would have to hunt down my phone just to sign in to my accounts.

As it is right now, I don't use 2FA on my Apple account because Apple refuses to accept Google Authenticator. Thankfully I don't use my Apple account for anything important. It doesn't have a CC on file, nor do I use iCloud services other than the ability to answer calls on my iPads. If somebody compromised my Apple account, I'd just make a new one.

All my other accounts have 2FA enabled. I use Authy for 2FA and LastPass for password management. I have them installed on my phone and I have them set up to stay signed in for 30 days. I use my phone so rarely though that by the time I go to use it again, I have to enter my master passwords all over again. I just really don't use my phone for anything. Why would I want to use a little 6" screen when I've got 27-75" screens on every level of my home? Most recently I used Lyft on my smartphone and had to log in to LastPass and Authy again since I hadn't used my phone to log into anything in more than 30 days.

I'm seeing this trend a lot more with my clients as well. They're staying home a lot more thanks to the pandemic and want to use their phones as little as possible since they have better devices available. Bigger screen = better unless portability is the main concern.

 

[sapphirescales]

Datto ditched Authy a few years back due to security issues by the way, I don't know if that was ever resolved... so beware.

That's because hypothetically a criminal could call your phone carrier and trick them into mailing them a SIM card, which would allow them access to your phone number. They could then use your phone number to get into your Authy account. The problem with these hypothetical scenarios is they're so unlikely that they're not even a concern. First off, the criminal would have to know that you use Authy, know your phone number, and know what carrier you use. Second, they would have to know what accounts you have on which websites and what passwords you use, so they'd have to break into your password manager too. In addition, Authy encrypts your 2FA accounts with a password, so even if a criminal did get into your Authy account, they would need that master password in order to do anything.

Unless you're a high profile individual that has a lot of money, no one is going to target you specifically. They're going to target people with the weakest security. 2FA with Authy is still more secure than SMS, but even SMS is pretty secure. The chances of being able to charm the Verizon rep into mailing a SIM card to a different address on the account is not very likely. If they had your SSN and other info needed to impersonate you to the Verizon rep, you've got much bigger problems than a criminal accessing your Facebook account. Basically, in order for these criminals to be able to get past your SMS 2FA, they would already have stolen your identity. Why bother getting into your existing account when they can open a fraudulent CC under your name instead?

Any type of 2FA makes an account 100x more secure, as the criminals need to basically steal your whole identity in order to get past it. Authy adds another layer of complexity since the 2FA codes are encrypted with a master password, so just getting access to your phone number isn't enough to get into your Authy account. And even if they did get access to your Authy account, they would need your passwords too, which should be stored in a password manager.

In other words, most of these hypothetical security issues aren't really a concern. So long as there are people out there with weaker security, they'll be targeted before you are. Authy is going to be less secure from now on not because the technology has changed, but because the base level of security is changing, making Authy a more tempting target.

 

[Sky-Knight]

@sapphirescales That scenario you've spent entirely too many words describing, happens frequently enough for Verizon Wireless to have been sued for over 100million and counting so far.

SMS based authentication, or use of a cellular number for recovery is a very bad thing without another token to go along with it. It's trivial to duplicate a SIM.

 

[britechguy]

Verizon Wireless to have been sued for over 100million and counting so far.

1. Citation of lawsuits.
2. Did the plaintiff's win?

The fact that any individual or entity has been sued in our modern, hyper-litigious world and the willingness of the courts to accept (or not throw out) frivolous lawsuits has created a disconnect between lawsuits being filed and all else.

I'm not saying the above specific to this instance, either. It's almost universally true. People and companies sue each other at the drop of a hat these days. The bar for what the courts will actually hear has been lowered quite a bit, too.

 

[Sky-Knight]

1. Citation of lawsuits.
2. Did the plaintiff's win?

The fact that any individual or entity has been sued in our modern, hyper-litigious world and the willingness of the courts to accept (or not throw out) frivolous lawsuits has created a disconnect between lawsuits being filed and all else.

I'm not saying the above specific to this instance, either. It's almost universally true. People and companies sue each other at the drop of a hat these days. The bar for what the courts will actually hear has been lowered quite a bit, too.

Google, I'm not your personal secretary... and to be frank educating you on this is a huge waste of my time given your previous comments and history on this topic.

But here's a relatively easy example: https://www.foxla.com/news/fox-11-t...ccused-of-taking-bribes-from-sim-swap-hackers

Then there's the older stuff that plagued the crypto community back in 2017-2018, supposedly things "have improved". But then T-Mobile steps in it instead: https://www.cnet.com/tech/mobile/t-...d-sim-swap-scam-how-to-protect-your-identity/

How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com

It begins with a text message from Verizon

medium.com

I can keep going... Verizon has been working double time to keep the settlements for the law suits that stem from these events out of the news, but they just keep cropping up. I use Verizon as an example but in reality every one of them is guilty of it.

DO NOT CONSIDER your cell phone a unique identifier, nor should you consider it safe. Push notification to an app on your phone is secure, SMS backup obliterates any and all gains made from MFA due to cellular carrier stupidity.

Besides, no one wants to punch in that stupid number...

Hacker lifts $1 million in cryptocurrency using San Francisco man's phone number, prosecutors say

Nicholas Truglia hacked into the phones of multiple Silicon Valley executives, prosecutors in California say.

www.cnbc.com

Oh look... another one...

As the global economy slips into recession... possibly depression... this gets WORSE not better.

 

[nlinecomputers]

And there is this.

Thread 'Hacked for 5 years without knowing? Seriously?'
https://www.technibble.com/forums/threads/hacked-for-5-years-without-knowing-seriously.87507/

 

[britechguy]

Google, I'm not your personal secretary... and to be frank educating you on this is a huge waste of my time given your previous comments and history on this topic.

I am perfectly capable of using Google, and getting lots of results you would likely find "not relevant" even in the context, hence the reason I asked. And I'm not asking you to educate me about 2FA, I'm asking you to be specific when I think specificity would be helpful. If you don't want to do that, fine, but my point stands. You cannot count the presence of lawsuits against anyone about anything as a valid metric as to whether the suit has merit or not. It's only how they settle out that tells you that.

You're not going to change my mind about the lack of need for 2FA in most instances for trivial logins. And most of our logins are just that, trivial. Nothing could be stolen were someone to gain access. My identities on ToyotaNation Forums, GitHub, Groups.io, Sysnative Forums, here on TechNibble, and the list goes on and on are not now, and never will be, worthy of worrying about having 2FA for.

You seem to believe that any given protocol is the magic bullet out of security compromises. My decades in this business tell me that "spy versus spy" will never end, and that we really need to think about what needs protecting and in what ways. One size is never, ever, going to fit all no matter how much you, and a raft of security experts, wish it would.

I'm old enough to have seen virtually every expert recommendation modified or, at times, completely backpedaled because of the law of unintended consequences. If you haven't gotten there yet, regardless of what eventually does get you there, you most assuredly will eventually arrive at that destination.

 

[nlinecomputers]

You're not going to change my mind about the lack of need for 2FA in most instances for trivial logins. And most of our logins are just that, trivial. Nothing could be stolen were someone to gain access. My identities on ToyotaNation Forums, GitHub, Groups.io, Sysnative Forums, here on TechNibble, and the list goes on and on are not now, and never will be, worthy of worrying about having 2FA for.

No one’s asking you to. For most people, your Google account is tied directly in to your phone, your search history, your gmail and much more. Microsoft, Google, Apple, Facebook should all have 2FA enabled. Your main email account as well, if not provided by one of the above because hackers targeting those services can gain a gold mine of personal information about you.

 

[britechguy]

No one’s asking you to.

Seriously, really? The position that is routinely promulgated in every one of these topics is: 2FA is essential, everywhere and in all cases. Better to have it everywhere and never think about where it is, or is not, appropriate.

And I will also cop to not knowing exactly what 2FA is being taken to be, precisely, in each and every case. In order to use my Google Accounts (the ones I do use) on my Android devices I have to log in using a form of 2FA that is non-transient. I don't have a single issue with that, and do it, and have done it under things like Outlook which uses Google OAUTH (which is 2FA but non-transient) when needed or forced.

But most 2FA I have to deal with, that I hate, is of the send me a code variety. It's a grand PITA that I am not willing to participate in voluntarily with the rarest of exceptions where what is being protected is, in my opinion, in need of and worth of protection. And that kind of 2FA is being pushed and pushed and pushed for truly trivial kinds of access. That's really, really not helpful nor is it an effective use of anyone's time or resources.

 

[Sky-Knight]

No one’s asking you to. For most people, your Google account is tied directly in to your phone, your search history, your gmail and much more. Microsoft, Google, Apple, Facebook should all have 2FA enabled. Your main email account as well, if not provided by one of the above because hackers targeting those services can gain a gold mine of personal information about you.

This... It's about accounts that have either access to personal metadata that can be used to steal your identity, or accounts that have real monetary property attached to them.

Last time I checked, this forum was for largely business owners. Business owners due to the legal nature of our existence operate at higher risk of ID based issues. Issues that can destroy the public's trust in us at the drop of a hat. And why? because someone got into an "unimportant" forum somewhere.

The fact that this forums DOES NOT support MFA actually does bother me. Because I have no clue what information will lead to my downfall, or from where it was gleaned until after it's too late.

@britechguy Spy vs Spy you say... yeah I suppose that's accurate. But you're using your head and memory cues to fight against state sponsored actors and automation. You will lose... you will always lose. These tools are designed for reality, and they aren't created by accident. You are however quite right to be upset at the absurd requirement of typing in that stupid code... We have better tools for that. BUT... a basic TOTP implementation with a password manager is pretty seamless too, and also the most painless to implement in a place like this. But you're not wrong to fight the time waste it represents... because that's quite real.

Sadly, push notification based MFA is expensive and nontrivial to implement. There's a reason Microsoft and Google have both exposed their authentication engines via API to 3rd parties. But even that path has a TON of mines in it. This is where I spend most of my time these days, is trying to strap everything I can to the M365 login, so users have that push button experience. Then there's the data mining of the authentication logs to ensure someone isn't mucking about where they shouldn't.

 

[nlinecomputers]

Last time I checked, this forum was for largely business owners. Business owners due to the legal nature of our existence operate at higher risk of ID based issues. Issues that can destroy the public's trust in us at the drop of a hat. And why? because someone got into an "unimportant" forum somewhere.

Not only that be we are in an industry that is being directly targeted. SolarWinds, Kaseya and other MSPs vendors have been targeted. MSPs have been directly targeted in order to attack our clients. It’s not paranoid when they really ARE after you.

 

[britechguy]

to fight against state sponsored actors and automation.

And here's where we fundamentally disagree.

State-sponsored actors do not now, and never have, had me, personally, as a target and never will. There's no payout from doing so. This sort of nefarious actor has, and always has had, bigger fish to fry - way bigger fish.

And automation, given current computing capacities, has definite limits, and "small-time" (for lack of a better description) nefarious actors are smash and grabbers, for the most part. If they can't access something via automation within seconds, it's on to the next target. Someone with a password such as "Sproul123Technibble!" for a site such as this is so unlikely to be "hacked" via automation that it had might as well be considered a zero probability.

I worry about protecting those things I think need protecting and via the means I feel are adequate. You do the same, but want everyone ty share your beliefs about what is adequate and when. And that's where the disagreement lies between us. The Fork Knox quote I trot out occasionally distills this difference to its essence.

I also don't believe that around every cyber corner, at every moment, lies a threat. Just as I don't believe that in real life, around every corner lies a threat. I'd hate to live in a world where that were the reality and what such a reality would do to my ability to exist with any peace of mind about anything. Realistic risk assessment, coupled with almost 60 years of living, have given me more than enough evidence that my approach is not unreasonable nor without merit.

 

[britechguy]

It’s not paranoid when they really ARE after you.

And where that's the case, you'll have no argument from me.

But I am tired of hearing people say things along the lines of, "we are in an industry that is being directly targeted," and thinking that this is generally applicable to each and every practitioner on this site. It's not, because our client demographics are wildly different and what's needed to protect a major corporation, which is a very juicy target for many nefarious actors, and what's needed to adequately protect me, or my average residential client, are very, very, very different things.

Thinking about what is necessary, and the context to which it is necessary, with each client and circumstance is what we are obligated to do as professionals.

One-size-fits-all and/or gross overkill do not serve a single one of us from a professional perspective. IBM's once tag line applies: Think.

 

[Sky-Knight]

@britechguy Right, because your sample size of 1 life knows all...

Ok Boomer, on with your anti-vax agenda I guess. Make no mistake, this is just the same level of ignorance, and being chosen willfully via the same reasons and stupidity. I've done my bit once again, and am happy to know the market has not only proven you wrong, but is forcibly making you change.

Sadly, I'm not likely to see the same thing happen with vaccines.

 

[britechguy]

Ok Boomer, on with your anti-vax agenda I guess.

And your cheap shots, and ones that have absolutely no valid analogy in them, reveal you for what you are.

 

[sapphirescales]

happens frequently enough

Then there are three possibilities here - either the criminals already have the victim's personal information, including SSN's, in which case them getting access to your 2FA accounts is the least of your worries, or Verizon is totally incompetent and isn't verifying people's identities before sending a new SIM to a totally different address, or criminals have actually gotten hired at Verizon for the sole purpose of stealing phone numbers. You'd think if it were #3 though that they wouldn't need to bother stealing phone numbers since they'd have access to countless customer's information just by working there. That leaves #1, in which case, again, 2FA accounts are the least of your worries or #2, in which case Verizon will learn their lesson and change their policies so this doesn't happen in the future, and other carriers will take notice as well and make sure to implement better security practices when it comes to sending out new SIM cards over the phone.

In any case, Authy's use of a master password is more secure than SMS 2FA, but even SMS 2FA is much more secure than non-2FA accounts. Now that Google and other companies are enforcing 2FA though, SMS 2FA is now the bottom floor of account security, which means you're the prime target if that's what you're using. SMS 2FA will soon be just as unsecure as having no 2FA at all, but that hasn't happened yet. There's still time to move people to something else. Even if you don't move away from SMS 2FA though, carriers will get better at making sure they don't send out new SIM cards on a whim to the bad guys. And there are still countless websites that don't even support 2FA, which means there are still ripe targets for the criminals that don't require them having to steal your phone number.

 

[nlinecomputers]

And where that's the case, you'll have no argument from me.

But I am tired of hearing people say things along the lines of, "we are in an industry that is being directly targeted," and thinking that this is generally applicable to each and every practitioner on this site. It's not, because our client demographics are wildly different and what's needed to protect a major corporation, which is a very juicy target for many nefarious actors, and what's needed to adequately protect me, or my average residential client, are very, very, very different things.

Thinking about what is necessary, and the context to which it is necessary, with each client and circumstance is what we are obligated to do as professionals.

One-size-fits-all and/or gross overkill do not serve a single one of us from a professional perspective. IBM's once tag line applies: Think.

It's difficult to determine your client demographics until I have broken into your System and monitored you for a while. Determining that you are a computer tech is easy. You have a website. And if you have regular clientele they likely have some wealth. And many independent techs keep password data for their clients. And small shops can't afford ITglue or passportal. So yes you are a target. Any computer tech is.

 

[britechguy]

So yes you are a target. Any computer tech is.

We'll just have to agree to disagree on this. There is no resolution to be had.

Target selection is very, very seldom "at random," entirely at random. And even a cursory analysis of my website would reveal that the probability of my being a "juicy target" is near to zero.

I may be a target, in the sense that any living being might be, but I'm more than one billion down the list, that's a certainty.

 

[Sky-Knight]

@sapphirescales

The Experian data breach alone exposed every single American that owns any actual property's private details years ago: https://www.identityforce.com/blog/experian-api-data-breach-impacts-nearly-every-american

Mapping a cell phone number to a person is a function of data mining, a process that's fully automated now.

You're right that SMS based MFA is the bottom tier, and it is better than nothing... but it's only a marginal improvement. Our telephony networks are too easily exposed via many vulnerabilities, but at least locking things to a mobile number "usually" limits your threat surface to people that are physically near you. Which is a huge improvement over global automation vulnerability that single factor affords.

Authy just doesn't have anyone but their own best interests at heart, and the way they handled the breach that lead to a ton of industry partners, Datto included to abandon them revealed their colors. That's why I bitwarden instead. I used to use the crap out of Authy too, it's really convenient.

But yes, if you're a business owner, your SSN, address, phone numbers all of that is on the dark web right now. Doesn't even take any time to go look it up.