AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
1password mfa11/29/2023 ![]() The copy they got wasn't necessarily anywhere near the OTP secret. The attackers have access to _a copy of the password_. Not enough people have FIDO tokens, and not enough sites accept them.įirst: Fuzzy thinking. Still, FIDO tokens are very much a superior alternative, their two main disadvantages are fixable. If you have a 10 character mixed case alphanumeric password (which is easy with 1Password), and the password hash used means I only get to try one billion passwords per second, you have many, many years to get around to changing that password. In this case 1Password is protecting you somewhat while my TOTP code made no difference. Since we're talking about 1Password, this password will genuinely be difficult to guess, and guessing is the only thing I can do because knowing the hash doesn't get me access to the live system. maybe a stolen backup tape) I get the OTP secret and so I can generate all the OTP codes I need, but in a halfway competently engineered system I do not get the password, only a hash. If I get read access to a credentials database (e.g. I think there's also a difference with passwords on the other side of the equation. a session Cookie) in exchange for the TOTP code which bad guys _can_ trade unlike the token itself. Implementations will vary in how effectively they enforce this, but in principle at least it could save you.Ĭaveat: The system may issue a long-lived token (e.g. A passive keylogger gets the TOTP code, but only at the same moment it's used up by you successfully logging in with it. TOTP is also not supposed to be re-usable. ![]() But yes each OTP expires and that's a difference for an attacker who doesn't know the underlying secret. Yes that includes you (and of course me).Ģ-3 minutes is more realistic for real sites than 30 seconds, because there is usually a margin allowed for clock skew. If you don't put people on pedestals you've got less cleaning up to do later when they inevitably fall off.
0 Comments
Read More
Leave a Reply. |