In that case, any of the vulnerabilities you mention still apply to Yubikeys since they're inherent to the OATH TOTP protocol, not to the platform that runs it. But as OP said in their post, Yubikey support OATH TOTP just like Google Auth, and some people have to use it since many websites support TOTP but don't support FIDO. You can say it won't happen with FIDO, which would be correct, or with Yubico OTP or HOTP (for replay, both of those can be phished). Phishing is just "give me the code so I can use it and you don't use it at all. You're talking about some sort of branching MITM attack. Time-based OTP tokens generate codes that are valid only for a certain amount of time (eg, 30 or 60 seconds), after which a new code must be. Event-based OTP tokens generate new codes at the press of the button and the code is valid until it is used by the application. Phishing would basically just take the code instead of you using the code. OTP tokens come in two types: event-based (HOTP) and time-based (TOTP). Phishing is a common scenario where this might happen. A good one will not allow the same code to be used twice and will force you to wait until the next 30 second period to access the website again. Microsoft and Google offer free authenticator apps that generate time-based one-time passwords for two-factor authentication (2FA) logins. This depends on the website/relying party. There is potential for replay attacks with TOTP codes. Meaning it will help people secure more stuffs. Which means it is more likely to be used for more services. The advantage Google Authenticator or other TOTP apps have is that it is often somewhat easier for people to use. Which is useful, but sacrifices some of the security, since that means if you left your Google Authenticator unlocked and someone else was able to briefly get to it, they could basically extract+clone your 2FA secrets. The current version of Google Authenticator allow exporting so you can transfer between devices. Which probably means they could be extracted and migrated to something else. They do a pretty good job security secret database with some kind of encryption or something else, but the software has to load the secrets to be able to generate the codes. Most software based tools store the secrets on a drive. The advantage of a Yubico, is that the secrets are stored in hardware, that basically makes it completely impossible to extract the secret.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |