To be fair, in the case of a security bug in the password manager (such as the few previous LastPass bugs in this vein), you are slightly more protected. In that case it doesn't really matter where you store the TOTP key (presumably you're not going to unlock your password database on that machine). Personally my view is that (if you're using a password manager with a unique password per-site) 2FA primarily protects you when you have to input your password on an untrusted system that may have a keylogger. Even in the case of password leaks, if someone breaches the password database of a website they can just as easily dump the TOTP table. Sure, but if your threat model is that the attacker has enough access to your machine to extract your password manager's database, they can also just copy your session cookies from your existing browser session. It's as if it is cool to say the most secure use case people can think of without even considering what and who it is that is actually protected and from whom. Security is kinda cool these days and everyone is a security expert, but just reiterating trained responses without actually thinking about the attack vectors is getting a bit annoying. Since this device doesn't actually have network connectivity he might have this problem potentially when someone is watching his watch with a camera, or if someone is able to do something in his close proximity, which means it absolutely is better than SMS-based 2FA and the phishing attack vector is different and if a person has access to him in close proximity anyway the cheap USB security doesn't offer anything(well not completely true, but almost) over this particular TOTP use case. (And Google supports a special hardware token only mode which I wish more sites would adopt.) It's best to use hardware tokens everywhere that support them, and both Google and GitHub do. It's still vulnerable to phishing, local device malware (that attacks your TOTP in your password manager), etc. TOTP is not much better than SMS-based 2FA.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |