--
You received this message because you are subscribed to the Google Groups "mooltipass" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mooltipass+unsubscribe@googlegroups.com.
To post to this group, send email to moolt...@googlegroups.com.
Visit this group at https://groups.google.com/group/mooltipass.
For more options, visit https://groups.google.com/d/optout.
On 2016-08-24 13:10, Chris Huitema wrote:
> the best thing about the Mooltipass is it overcomes the shortfalls
> of *now*, it remembers the few dozen passwords we all currently need
> (and it does really well)
>
> and while i do agree that adding Fido u2f to sites may be easy (well
> over my head to be honest!), many haven't yet and the majority (more
> than 80% of the accounts i have) don't even have 2fa.
>
> I have enabled 2fa on every account i can, and currently use my phone to
> provide 2fa, and it works well but I'm really concerned about all the
> vulnerabilities with such a device that i use for everything, that is
> exposed 24/7 to 3G/4G, BT, NFC, WiFi + whatever other ways it could be
> compromised
And the point of 2FA is that it is irrelevant that a single token gets
compromised. You need both Factors to successfully authenticate.
If your phone gets stolen/hijacked/hacked etc, it does not matter, as
they still need your password.
Also, 2FA tokens are single-use/time dependent, thus re-use is not possible.
> So yes having the Mooltipass do both password and 2fa may be slightly
> less secure, at the end of the day its still 1) a device someone has to
> have
Like your phone that you carry around, if somebody is close by they will
be able to take it, just as well as they would be able to access it over
the connectivity you allow.
And as the mooltipass is shiny they will take it and then figure out it
needs a PIN which makes it useless. (which FIDO U2F tokens do not have,
but, for those you still need the second password).
> 2) a card someone has to have,
Do you unplug it and store it separately in a secure place?
What if you travel? Put it in two bags that thieves steal together?
(In that situation I keep the card on me, while the reader goes
elsewhere; though often it just stays in a safe ;) )
I know my bank token always has the card inserted... this as when
somebody gets into my house, they also have the option of politely
asking me for the details (read: rubber hose crypto).
> 3) has a pin someone needs to know
The PIN is a great part of the mooltipass.
Though, has it been fully tested against automated testers ala an iPhone
(which has amazing security properties btw).
Android 'security' is just a farce though...
Check:
https://developer.android.com/about/dashboards/index.html
wow, Marshmellow has a full 15% of the market already, even after being
a full year on the market. Lets see how low the percentage will be for
Nougat now that has been released recently to select devices.
4.4 KitKat is from 31 October 2013, thus almost as good as 3 years old.
70% of the users are still on that all affected by StageFright and many
many other remotely exploitable bugs... ignoring the 'security' of the
applications that get installed and even side-loaded with full perms.
Hence if you think your phone is insecure, getting out of the Android
world is a good start. (unless you have Nexus devices, as that seems to
be the only semi-maintained thing, or you are making your own custom
loads on it...)
Also, proper OpSec: disable all mediums you are not using. You are not
letting Bluetooth active when you are not using it I hope?
Or traveling
with Wifi enabled even though you do not expect Wifi to become
available?
Also, you did disable the
automatically-connect-to-any-open-hotspot-willing-to-steal-my-data
setting I hope? :)
> 4) someone has to know how to use it and which login is for what
> account.
That is primarily because of the niche, if it where more common it would
be trickier. This argument is almost the same as writing your passwords
in reverse on a piece of paper or using rot13...
Always remember than an adversary that wants to get specifically to your
data will do exactly that: rubber hose crypto...
> so i would feel much happier knowing its offline 95% of the
> time and has very limited attack vectors.
Offline is a very very good thing.
That is why most bank tokens are offline and why 2FA tokens do not need
connectivity to function (though they need correct time depending on the
algorithm).
This is also why most of these USB tokens (mooltipass included) only try
to expose only a 'keyboard' kind of interface and no way of updating
firmware and other software on the device.
> and to me is 4 factor. and a
> lot lot safer than my old street name and pet
>
> If the same device could be used for both then people could choose how
> secure they want to be? if they want one device just for passwords and
> one for 2fa/u2f then they can set them up that way, or one device for
> everything
The thing is, people who do not know about security properties would
think they are fully secure, and then when that is proven to be false
would complain about it....
> (I personally want one for work and one for play)
You should keep work and home stuff 100% separated.... and hopefully
your company has a proper security measures, recommend them mooltipass!
I definitely agree that the best solution is to have a totally separate token device, so you have true two factor authentication, however while reading this thread this morning, I had an idea...
If the Mooltipass were to support 2FA of some form and could protect each generator with a separate PIN, then having to enter a PIN for them does kind of satisfy the 2FA requirements, as a potential attacker would need the device, the card and the account PIN for the password, and then also a further PIN for the 2FA.
For those of us who would want it entirely separate, we could then just keep two devices, one for passwords and one for 2FA, but they'd be the same battle tested hardware and software, rather than having to come up with a new design.
Anyway, just my thoughts
Phil
Greets,
Jeroen
Implementing 2FA in the mooltipass significantly improves the situation if the computer is compromised or there is a man in the middle attack without requiring any extra effort on the part of the user. 2 separate devices are not necessary for this extra protection.
--
--
To unsubscribe from this group and stop receiving emails from it, send an email to mooltipass+...@googlegroups.com.
To post to this group, send email to moolt...@googlegroups.com.
Visit this group at https://groups.google.com/group/mooltipass.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "mooltipass" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mooltipass/RwoY4VN04Bk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mooltipass+...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to mooltipass+...@googlegroups.com.