Twitter already has a huge infrastructure for SMS, reusing it makes some sense from an internal-logic standpoint..
For Apple's use-case, their users already have phones, and understanding TOTP would make it harder. Push notifications are already pretty straight forward, so building on top of that also makes sense.
For Google, for instance, I often use their SMS verification rather than going to the authenticator anyway - It's faster, easier, and gets me logged in. It still raises the barrier of entry versus just guessing my password.
I don't think they should remove SMS support, but that it's not sufficient on its own.
At least for me, TOTP is much faster than SMS would be: request it, wait for it to arrive - if I have good signal, get to it on my phone vs. open the authenticator app and read one of the codes.
I agree. I love the idea of TOTP. It is not tied to a specific vendor or app and it doesn't require a internet connection to work. The only issue I found was there is no way to change the default timeout of 30 seconds and 30 seconds maybe more than enough to brute force a 6 digit numerical phrase.
Twitter doesn't allow me to ad 2fa because my carries (BSNL/India) isn't supported.
Facebook doesn't give me an option to add Login Approvals because its not rolled out to everyone.
I need 2fa, and I need it now!
Disappointing that each provider uses a different name. Imagine if they each had their own name for the password field. They should all just call it two-factor authentication.
I'm not aware of how other services handle this, but google hands you "Backup Codes" that you can use when you don't have your phone. Google recommends to keep them in your wallet, but I keep them safe on lastpass, which helps when you are without both your phone and wallet.
"So how can anyone hack Twitter with two-factor authentication in play? The account info you’ve just entered will automatically be entered into the real Twitter.com by the hacker. And seeing as how you’ve had your account info entered into Twitter.com for you, Twitter’s two-factor authentication will ping the victim with the SMS and temporary password as expected, Toopher (a two-factor security service) CEO Josh Alexander explains.
At that point, since you’ve received an SMS from Twitter, you’re probably under the assumption that the account recovery process seems legit and would continue to enter in that temp password into the fake Twitter site. Of course once that’s done you’ve lost complete control of your account."
"Hackers sent the customers emails falsely claiming to be from ABN Amro. If recipients opened an attachment, software was installed on their machines without their knowledge. When customers visited their banking site, the software redirected them to a hacker-controlled mock site that requested their security details.
As soon as the hackers received these details they were able to log into a customer's account at the real ABN Amro site, before the expiry of the fob-generated number. They could then transfer the customer's money." (they didn't need to redirect the customer to intercept the credentials but it makes it harder to detect)
It's not a huge step. Training users not to reuse passwords (or login IDs!) would be a huge step. Not using easily found personal information for password recovery would be a huge step. Implementing the second factor in a less feeble way would be a huge step.
This is a small step. Like a padlock made of cardboard, this is the weakest attempt they could make. They probably don't even use heuristics to determine if your environment has changed so they can re-challenge you (now industry standard among authentication solution providers).
Twitter added this feature because they've had too many high-profile hacking stories in the media and nobody would keep investing in a company whose security track record is a tabloid joke. This is a step towards keeping their users and potential investors from running for the hills.
Here are some alternative methods to secure user credentials:
- Bcrypt
- Require the login ID to be separate from their email address or public handle
- Verify two-factor PINs via reply
- Additional authorization methods for group accounts (no shared logins)
Two factor is a huge step. One of the biggest impacts of phishing is due to credential reuse across sites. The damage that a phishing site (or compromised site) can do is quite limited if you have two factor auth for your other sites. Also, online phishing attacks are doable but have the disadvantage of the victim being right there and potentially able to notice the intrusion instead of the damage being done at arbitrary points in time later.
Are you completely secure against phishing when using 2fa sites? No. And you never will be. But you're significantly safer than you would have been without it.
In what way is bcrypt an alternative method when compared to two factor auth? Also, from the point of view of the live MITM attack you mentioned above physical tokens or TOTP wouldn't help either. What exactly are you proposing they do?
Err, you're right, bcrypt wouldn't help stolen passwords and a token wouldn't help a mitm. TOTP would be useful if it were used in a separate channel, but not in this case. I was just brainstorming ways to make authentication suck less in general.
