Comment on Proton releases a new app for two-factor authentication

• RoadTrain@lemdro.id ⁨4⁩ ⁨weeks⁩ ago

  So the two-factor authentication apps shouldn’t be on desktop argument never made sense to me, mobile is the same way.

  I think that argument was rooted in the assumption that the phone was a separate and smaller attack surface. The assumption is reasonable if you use your credentials mostly on desktop and only have a few apps on your phone, which was indeed the case for a lot of people in the past.

  But nowadays, a lot of people use the same credentials on the phone just as well, and with everything asking to install their app, I’m not sure the attack surface really is smaller anymore. So, if you’re in this scenario, I agree with you that you may not be sacrificing much by having 2FA on desktop.

  And, of course, 2FA, even in the same password manager, is still better than none. Your first factor can be stolen in more ways than just compromising your machine, for example through data breaches.

  source

  • IllNess@infosec.pub ⁨4⁩ ⁨weeks⁩ ago

    But nowadays, a lot of people use the same credentials on the phone just as well, and with everything asking to install their app, I’m not sure the attack surface really is smaller anymore. So, if you’re in this scenario, I agree with you that you may not be sacrificing much by having 2FA on desktop.

    This makes sense and puts holes in my statement. I also feel like more people are willing to install shady stuff on their phones than their desktop now. I have no sources for this though.

    source
  • Pika@sh.itjust.works ⁨4⁩ ⁨weeks⁩ ago

    That makes sense. I hadn’t really looked at it from the angle of most apps are going on devices anyway. Mine was just because of the fact that it’s super annoying having to have my phone on me at all times for two-factor authentication. Especially considering that most 2FA apps require you to sign in in order to use them anyway.

    Also, yeah, that was my ideology when I threw them into my password manager. That if they can manage to breach a device, find my private key that’s used to lock the database and figure out the password for the database. Something far worse has gone wrong and losing my passwords is the least of my issues.

    source
• IllNess@infosec.pub ⁨4⁩ ⁨weeks⁩ ago

  The way I looked at it, it’s no different than having a mobile device with a password manager on it, because if someone steals your mobile device, they have access to everything as well. So the two-factor authentication apps shouldn’t be on desktop argument never made sense to me, mobile is the same way.

  That is true. And more phones are stolen now than computers. Computers can have the same security and encryption if properly configured.

  Even though you make a logical point, something in my gut doesn’t feel right.

  source

  • FrederikNJS@lemmy.zip ⁨4⁩ ⁨weeks⁩ ago

    These are great points, but there is something more that phones have going for them.

    All modern phones are full-disk encrypted by default, and can be remote wiped. I think this is only the case for Mac laptops, but not for Linux and Windows.

    So if your phone is stolen, it’s not really a risk of the thief having your password manager and your 2FA at the same time, but rather can they get in to your phone and then password manager and 2FA before you can trigger the remote wipe.

    Unless the attacker is sophisticated enough to mirror the whole disk and attack it offline.

    source

    • IllNess@infosec.pub ⁨3⁩ ⁨weeks⁩ ago

      Yeah. You have great points. A lot easier to wipe a device that is actively connected. Laptops don’t usually have that luxury. It is a lot easier to take apart a laptop. It is easier to plug in a USB HID for brute forcing or to constantly move a pointer to prevent it from going to sleep.

      I guess that’s the feeling in my gut.

      Thank you for your input.

      source