Stories
Slash Boxes
Comments

SoylentNews is people

Don't Run Your 2FA Authenticator App on These Smartphones

posted by martyb on Monday March 02 2020, @07:36PM   Printer-friendly
from the cat-and-mouse dept.

upstart writes in with an IRC submission for SoyCow4275:

Don't run your 2FA authenticator app on these smartphones:

Aaron Turner and Georgia Weidman emphasized that using authenticator apps, such as Authy or Google Authenticator, in two-factor authentication was better than using SMS-based 2FA. But, they said, an authenticator app is useless for security if the underlying mobile OS is out-of-date or the mobile device is otherwise insecure.

[...] The problem is that if an attacker or a piece of mobile malware can get into the kernel of iOS or Android, then it can do anything it wants, including presenting fake authenticator-app screens.

[...] And don't think iOS devices are safer than Android ones -- they're not. There are just as many known exploits for either one, and Weidman extracted the encryption keys from an older iPhone in a matter of seconds onstage.

The iPhone's Secure Enclave offers "some additional security, but the authenticator apps aren't using those elements," said Weidman, founder and chief technology officer of Washington-area mobile security provider Shevirah, Inc. "iOS is still good, but Android's [security-enhanced] SELinux is the bane of my existence as someone who's building exploits."

"We charge three times as much for an Android pentest than we charge for an iOS one," Turner said, referring to an exercise in which hackers are paid by a company to try to penetrate the company's security. "Fully patched Android is more difficult to go after."

[...] In short, "we need to move away from usernames and passwords," Turner said.

[...] Turner [said] "I am fundamentally opposed to using biometrics because it's non-revocable," he said, citing a famous case from Malaysia in which a man's index finger was cut off by a gang to steal the man's fingerprint-protected Mercedes. "Fingerprint readers are biometric toys."

The only form of two-factor authentication without security problems right now, Turner said, is a hardware security key such as a Yubikey or Google Titan key.

"I've got two Yubikeys on me right now," Turner said. "Hardware separation is your friend."

Original Submission

 
This discussion has been archived. No new comments can be posted.
Don't Run Your 2FA Authenticator App on These Smartphones | Log In/Create an Account | Top | 17 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by DannyB on Monday March 02 2020, @09:11PM (1 child)

    by DannyB (5839) Subscriber Badge on Monday March 02 2020, @09:11PM (#965684) Journal

    Whatever imperfection there is, will be found and exploited, in time.

    Then some obscure imperfection is a gaping security hole.

    --
    To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Monday March 02 2020, @09:38PM

    by Anonymous Coward on Monday March 02 2020, @09:38PM (#965696)

    Whatever imperfection there is, will be found and exploited, in time.

    I doubt someone will dedicate resources to target code I compiled from source, while everyone else is on auto-upgrade.