Comment on Proton releases a new app for two-factor authentication
IllNess@infosec.pub 7 months ago
Hmm… I’m not sure about having an authenticator app on a desktop computer.
Like you are putting all your eggs in one basket. Password managers, and your emails already go to one place for authentication. Adding an authenticator means if your computer is compromised, a person can have access to more accounts.
I always figured this is why desktop authenticator apps aren’t a thing.
Absolutely. 2FA codes (and 2FA ‘single use codes’ / recovery codes) should not be stored in the same system that manages your usernames and passwords - it defeats the purpose of 2FA.
But most people will just breeze past advice and do whatever is most convenient.
I don’t view it as simply compromised or not. How a password is compromised is relevant. The vast majority of issues aren’t somebody gaining access to your logged in machine. Passwords are nearly always compromised from a server mishandling data.
That means in most cases 2FA near a password is not likely to be an issue. I’m not saying I recommend it, but it does change the risk evaluation.
Peoples credentials are increasingly captured by information stealer malware, including attacks on Keepass. It’s not just services mishandling their data that people should consider as likely vectors.
I do agree about evaluation - it doesn’t matter much with stuff like a forum account that has 2FA, but I certainly wouldn’t put any of my banking or key account 2FA backup codes or credentials in a password manager or central account/password storage service. It weakens your protection if something does go wrong.
I am (was?) one of those. Working on eliminating or changing the passwords and emails of my 550+ accounts. I’m creating a simplelogin email for each of the ones I’m keeping, setting up a randomly generated password for each as well (24+ characters long with every possible character available), trying to delete the accounts of services I don’t want/need anymore, and then setting up 2fa on Aegis if they don’t accept a hardware tokens.
But it’s an intense and long process, though absolutely worth it. With work and personal life, I’m guessing I can be done in a couple of weeks.
This is what I did.
Well hopefully the 2FA data is encrypted and the app requires a pin or password to access.
Plus my password manager also needs a pin after it times out, and my computers all have their drives encrypted too.
The alternative for people who want a convenience factor is putting it all in the same location. For example, the only thing Authy for desktop closing did for me was make it so I no longer had an isolated app for both 2FA and passwords, because now it’s just all in my password manager.
I don’t always have my phone on me 24x7, so the inability to access things on my desktop is a massive nope for me.
The way I looked at it, it’s no different than having a mobile device with a password manager on it, because if someone steals your mobile device, they have access to everything as well. So the two-factor authentication apps shouldn’t be on desktop argument never made sense to me, mobile is the same way.
The way I looked at it, it’s no different than having a mobile device with a password manager on it, because if someone steals your mobile device, they have access to everything as well. So the two-factor authentication apps shouldn’t be on desktop argument never made sense to me, mobile is the same way.
That is true. And more phones are stolen now than computers. Computers can have the same security and encryption if properly configured.
Even though you make a logical point, something in my gut doesn’t feel right.
These are great points, but there is something more that phones have going for them.
All modern phones are full-disk encrypted by default, and can be remote wiped. I think this is only the case for Mac laptops, but not for Linux and Windows.
So if your phone is stolen, it’s not really a risk of the thief having your password manager and your 2FA at the same time, but rather can they get in to your phone and then password manager and 2FA before you can trigger the remote wipe.
Unless the attacker is sophisticated enough to mirror the whole disk and attack it offline.
Yeah. You have great points. A lot easier to wipe a device that is actively connected. Laptops don’t usually have that luxury. It is a lot easier to take apart a laptop. It is easier to plug in a USB HID for brute forcing or to constantly move a pointer to prevent it from going to sleep.
I guess that’s the feeling in my gut.
Thank you for your input.
So the two-factor authentication apps shouldn’t be on desktop argument never made sense to me, mobile is the same way.
I think that argument was rooted in the assumption that the phone was a separate and smaller attack surface. The assumption is reasonable if you use your credentials mostly on desktop and only have a few apps on your phone, which was indeed the case for a lot of people in the past.
But nowadays, a lot of people use the same credentials on the phone just as well, and with everything asking to install their app, I’m not sure the attack surface really is smaller anymore. So, if you’re in this scenario, I agree with you that you may not be sacrificing much by having 2FA on desktop.
And, of course, 2FA, even in the same password manager, is still better than none. Your first factor can be stolen in more ways than just compromising your machine, for example through data breaches.
But nowadays, a lot of people use the same credentials on the phone just as well, and with everything asking to install their app, I’m not sure the attack surface really is smaller anymore. So, if you’re in this scenario, I agree with you that you may not be sacrificing much by having 2FA on desktop.
This makes sense and puts holes in my statement. I also feel like more people are willing to install shady stuff on their phones than their desktop now. I have no sources for this though.
That makes sense. I hadn’t really looked at it from the angle of most apps are going on devices anyway. Mine was just because of the fact that it’s super annoying having to have my phone on me at all times for two-factor authentication. Especially considering that most 2FA apps require you to sign in in order to use them anyway.
Also, yeah, that was my ideology when I threw them into my password manager. That if they can manage to breach a device, find my private key that’s used to lock the database and figure out the password for the database. Something far worse has gone wrong and losing my passwords is the least of my issues.
Appoxo@lemmy.dbzer0.com 7 months ago
No company phone = Me using a desktop app for work related 2FA.
Not my problem.