SoylentNews is people
SoylentNews
In a presentation at this year's RSA Conference, taking place in San Francisco this week, Dr L Jean Camp, a professor at Indiana University Bloomington in the US, and her doctoral candidate Sanchari Das, detailed their research into why people aren't using Yubico security keys or Google’s hardware tokens for multi-factor authentication (MFA).
For those who don't know: typically, you use these gadgets to provide an extra layer of security when logging into systems. You enter your username and password as usual, then plug the USB-based key into your computer and tap a button to activate it. The thing you're trying to log into checks the username and password are correct, and that the physical key is valid and tied to your account, before letting you in.
That means a crook has to know your username and password, and have your physical key to log in as you. We highly recommend you investigate activating MFA on your online accounts, particularly important ones such as your webmail.
What the pair found during their research work derails any previous assumptions that the lack of MFA uptake is because people are stupid, or can't use the technology. What it comes down to is education and communicating risk.
(Score: 0) by Anonymous Coward on Thursday March 07 2019, @06:03AM (4 children)
Most of my logins are totally worthless and nobody in their right mind would bother trying to break in. That goes for about 95% of everything. But in any case MFA is a false security because physical items can very easily be stolen, copied, or substituted. Excellent password stored in my brain cannot be easily stolen.
Unfortunately nobody can "sell" the concept of good password, so dongles and MFA are currently fashionable products to try and sell.
(Score: 2) by c0lo on Thursday March 07 2019, @08:26AM
Until you'll be able to communicate with the computers telepathically, that password will need to be expressed in real world in one form or another
Stolen? Maybe not. But you may be surprised of how effective some old techniques of extraction still are; things like "rubber-hose cryptanalysis" aka "$5 wrench attack".
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1, Informative) by Anonymous Coward on Thursday March 07 2019, @08:32AM
If the token's worth the electronics it's made of, it can't be easily copied or substituted without actual physical access to it. The Russian hackers won't be able to steal such a token from you. The FBI or the NSA isn't going to bother to hire a thief to pick your pockets for it. If you were important enough for them to consider doing that they'd just arrest you and shake down your MFA token that way. If you only used a password they'd threaten you with having the CIA send you to some extraordinary rendition site with lots of rubber hose to make you give up that vaunted "excellent password stored in your brain". I wonder how many hours of torture it would take before you told them your password.
And about that... our brains are rather fallible things, and it is very easy to FORGET a password stored in your brain, especially if it's a password that can't be easily brute-forced. And then you'll be just SOL as if you were hacked, possibly even worse off because you'll then lose everything that password is supposed to protect. YOU might be one of the people who has the autistic-savant talent of reliably remembering dozens of 25-character random passwords, but most normal people won't be able to do that.
Most of your logins might really be totally worthless, but you never know to what mischief a creative criminal can use them for. Until you remember that once upon a time long ago you gave some site access to one of your credit cards. Or that you re-used the password or used a similar password for some login that is actually worth something.
(Score: 0) by Anonymous Coward on Thursday March 07 2019, @09:17AM
90% of everything is shit, a well known fact.
But physical security is pretty great. It's all life has relied on forever (billions of years) except the few last decades.
I don't mind emptying the bank account of somebody who lives on the other side of the Earth. In many jurisdictions they do this all day long. But would I travel there first to try and steal some token only to find guy has $13,25 in his account? Don't think so. It's high bar.
Put more post-it notes on the monitors with all your passwords on them. Or at least use a password manager.
The "high security" locks and Large Men With Guns are there for a reason.
Besides MFA doesn't have to be anything sold, a piece of paper containing one-time passwords asked in random order suffices nicely...
(Score: 2) by vux984 on Saturday March 09 2019, @06:17PM
"Most of my logins are totally worthless and nobody in their right mind would bother trying to break in. "
Unless you use the same login for something worthwhile, which happens a lot.
And in the case of email, they are often the recovery mechanism for worthwhile stuff.
"But in any case MFA is a false security because physical items can very easily be stolen, copied, or substituted."
Hence the M in MFA is "multiple". If someone 'far away' phishes your password, or hacks some online service which stored your credentials -- both of which are easily the most prevalent form of attack right now; they're going to have a tough time getting their hands on physical items from you.
Sure it doesn't do much to help if your attacker is your roommate; or someone steals your laptop with the dongle in it... but those are rarer... and you still have your password in your head. So best case - you are a lot more secure. Worst case - you are no less secure.