General InfoSec discussion

Discussion in 'Business & Enterprise Computing' started by Gunna, Nov 18, 2019.

  1. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,563
    Location:
    Brisbane
    Possibly the case with MS too of course!

    At which point it's a simple risk discussion. Though I'm absolutely flabbergasted as to what possible scenario in which using your fingerprint a second time is such a life changing issue you care enough about it :D
     
    ir0nhide likes this.
  2. Rass

    Rass Member

    Joined:
    Jun 27, 2001
    Messages:
    3,145
    Location:
    Brizbekistan
    so I've recently seen password managers that also act as a 2fa device giving TOTP codes.
    I saw someone using autofill on both.
    Interested to know everyone's opinion.
     
  3. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,585
    Location:
    Adelaide
    Is 'LOL' an acceptable response?
     
    millsy likes this.
  4. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    45,081
    Location:
    Brisbane
    Continuing proof that any and all efforts to make the world a better place will be undone purely in the name of convenience.
     
    millsy likes this.
  5. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    11,983
    Location:
    Melbourne
    I see it as more of a commentary that the workers of the world are just trying to get some work done, and security needs to support that, not impede it.

    I don't decry the need for security, but when it's more time consuming to beat your way through the multiple layers of security than actually doing the work - something is wrong.

    I'm not a security person so I don't have the answers. but as someone who has to battle through multiple layers of security crap to get to the point where I can try and achieve something that's complex enough in its own right, there has to be a better way.
     
    Last edited: May 30, 2021
    Fraggle, tobes and karnophage like this.
  6. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,757
    Location:
    NSW
    Perhaps if the sign in to the password manager was not saved, and it required 2fa for a new sign in (once per day or when the browser is closed/reopened would be somewhat ok IMO), or it required a new sign in/2fa to unlock its own 2fa for a set amount of time then that would be ok. Anything else is breaking the entire benefit of 2fa.

    Security is always a balancing act between ease of use and the actual security provided. IMO most 2fa is not all that cumbersome - though I am glad most use authenticator apps rather than each service requiring a different hardware OTP generator. I'm sure there are setups with so many layers of security on them that it takes longer to get in than to do the work, but I don't think most 2fa falls into that category.
     
    BAK likes this.
  7. fredhoon

    fredhoon Member

    Joined:
    Jun 27, 2003
    Messages:
    2,820
    Location:
    Brisbane
    My useless banking app does that, pushes a 2FA code via the App and auto-fills so the transaction proceeds. Maybe I should write my pin down on the back of the Cc for similar convenience, or better yet auto-fills the pin at an ATM!

    I used to use the mobile website to transact and the app just for the 2FA codes, however they steadily discriminate between web banking and app features to force everyone down the App path.
     
  8. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,563
    Location:
    Brisbane
    Unfortunately until those better methods arrive we need an interim solution.

    However auto filling TOTP codes probably isn't it :D
     
  9. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    45,081
    Location:
    Brisbane
    Again, this is the "convenience trumps all" argument, which I don't subscribe to.

    What's worse, 30 seconds out of your day to 2FA into your SSO, or multiple weeks of complete business shut down due to ransomeware?

    And let's be honest, those 30 seconds of 2FA log in are not even close to being the low hanging fruit of employee time wasting.
     
  10. Rass

    Rass Member

    Joined:
    Jun 27, 2001
    Messages:
    3,145
    Location:
    Brizbekistan
    yeah, my workflow for using it is pretty much:
    • use bookmark to get to console website
    • unlock password manager using complex password
    • click fill credentials, then OK
    • unlock phone, enter 2fa code
    • poke around on web console for shit that wasn't properly automated.

    the amount of actual time saved is minuscule, and it's not breaking flow, as I'm already not concentrating hard.

    I've thought about the impact on security and it's essentially the creation one point where security is weak. If someone was to gain access to that laptop, they could potentially get all authentication requirements for this service. Which kinda defeats the purpose of 2fa.
     
  11. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    11,983
    Location:
    Melbourne
    if that was the case I would not be making the comment.

    log into laptop with normal account details.
    can't do anything substantive until VPN is running which requires separate account and 2FA.
    can't have any software installed locally, all has to be via citrix. log into citrix with yet another account and 2FA.
    now log into applications with *another* set of credentials - and again, 2FA.

    and all of that times out on a regular basis and has to be redone. literally multiple dozens of times a day.

    and security insist that every bit of it is necessary and frighten management with stories of doom if their advice is not followed to the letter, because that covers *their* arses either way. if every layer of security they can think of is used regardless of the extreme inconvenience it causes, they claim they protected the business. if the business doesn't want to adopt every recommendation because of the cost and time suck, if a breach occurs then security just wash their hands of the problem and say their recommendations were not followed. good system. :thumbup:
     
  12. fredhoon

    fredhoon Member

    Joined:
    Jun 27, 2003
    Messages:
    2,820
    Location:
    Brisbane
    Sounds like a overzealous and poor implementation rather than a criticism of 2FA.
     
  13. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,621
    Pls show me a good real world implementation of SSO with 2FA.

    Caspian's user story would be far more common that the other.
     
  14. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,364
    Location:
    Canberra
    welcome to the real world, where...

    - not everything supports SSO (or only supports the SSO you don't use), so you get a proliferation of accounts
    - separation of privilege is a thing, so more accounts
    - then security comes along and tweaks all the knobs so you have stupidly short session timeouts, multiple 2FAs that need 2FAs to access, and the latest one I'm seeing...
    - Just In Time privileges. where after you go through the administrative (forms in triplicate lol) and security hoops to get a priviledged account (that requires a hardware 2FA) and the right group memberships to do your work, you then have to apply (scheduled in advance) and be approved to use them every 1-8hours.
     
  15. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    45,081
    Location:
    Brisbane
    You fucked up your SSO. Sack your sysadmin team / CIO / CTO and try again.
     
    Last edited: May 31, 2021
  16. tobes

    tobes Member

    Joined:
    Dec 23, 2001
    Messages:
    4,152
    Location:
    Melbourne
    My current work one is pretty good.
    Okta SSO with 2FA - Second factor can be any of SMS, PUSH, Google Auth Type App, Biometric/TouchID/FaceID or token. With token enforced for production systems
     
  17. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,621
    How many times do you need to enter a password/mfa code each day?
    how many systems do you have that don't use your SSO password?
    how many systems do you use that don't support SSO?
     
  18. fredhoon

    fredhoon Member

    Joined:
    Jun 27, 2003
    Messages:
    2,820
    Location:
    Brisbane
    Once
    Most of the legacy systems only 3 of which I use on a regular basis, none require 2FA when accessed from a device that's already been authenticated. (most can only be accessed internally)
    Half a dozen or so, maybe more. Again they don't require 2FA as you need to be authenticated to access them in the first place and also while annoying, they are different front ends to the same legacy systems. All have long timeouts because they are not accessible without authentication onto the network.


    That said I'm just an end user and don't need to deal with escalated privileges on multiple devices/networks/clients or access significantly privileged info as per cvidler 's perspective

    It all sounded reasonable up until here. What's the likelyhood of of the risk scenario that's being mitigated against? Ignoring the impact/sensitivity of the system which will drive overreaching controls, surely the timeouts between idle sessions and TOTP re-authentication don't need to be so overzealous as caspian 's example.

    I would expect aggressively short timeframes to incentivise "keep alive" behaviour from less scrupulous end users in the name of convenience, which I suppose drives shorter TOTP windows and the cycle continues.


    That sounds like a lot of fun, however I understand why certain industries' risk/threat assessment would result in these controls.
     
    Last edited: May 31, 2021
  19. tobes

    tobes Member

    Joined:
    Dec 23, 2001
    Messages:
    4,152
    Location:
    Melbourne
    Every 3 hours we have to re-authenticate. Systems that don't support SSO and/or don't have the same password we use OKTA as password manager.

    Unsure why the picked 3 hours but I suspect is has something to do with HIPAA, SOX or some other regulation like that as it was recently changed down from 6
     
  20. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    11,983
    Location:
    Melbourne
    and therein lies the problem. this was deliberately done because it was evaluated that SSO was inadequate to need. so the poor user gets caught between a security team that doesn't care about usability, and a business that's too scared to decide to do anything more realistic. and of course there's no money to do anything.

    so the users use autofill and macros and have passwords written on sticky notes, because all they're trying to do is get some work done.
     

Share This Page

Advertisement: