MFA (2FA) mechanisms


#1

Multi-factor authentication is great! I’m really glad we have it.

I’d like to request that other methods be added in addition to the Google Authenticator app and Yubi Key. Some suggestions include receiving a code by email or receiving a code by SMS.


#2

Glad you’re appreciating MfA! Regarding your suggestion though, both SMS and email are considered insecure vectors to deliver confirmation codes so I doubt those will be implemented.

Some reading material:


https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html


#3

Hi @smaffulli and thanks for your prompt, interesting, and very informative reply!

That’s a good point about SMS being an unsafe vector. I wasn’t aware of just /how/ unsafe it is, but I don’t disagree with the idea to exclude it. In fact, the more I read those threads you linked, the more I agree that SMS cannot be used as a medium for MFA.

And I understand that MFA via email is not perfect, but neither is MFA via app.

Unfortunately (unfortunately for me, that is), this means that I will not be using MFA for Dreamhost. As one commenter on that Schneier thread wrote, it’s a bit like throwing the baby out with the bathwater. More-secure MFA is better than partially-secure MFA, but some MFA is better than no MFA. I would appreciate the choice to accept a “partial improvement to my security” by using email-based MFA. But I understand that from a system development standpoint, it’s not worth the time or the risk to intentionally allow a solution that’s not up to spec.

Thanks again for explaining and sharing those liinks.


#4

Before embarking in a philosophical debate about “partial” security, I’m curious about learning what blocks your usage of the MFA app. Maybe there are workarounds we can suggest you to use. Can you elaborate a bit more on your situation?


#5

Well, most specifically, a few days ago my dog destroyed my phone. Thankfully I had set this computer to not ask for my MFA key for 30 days, so I was able to disable MFA before being locked out of my account. But for the time being (until I get a new phone) I have no smartphone. In this day and age, it’s a rare occurrence for someone to be without their phone, but it’s my situation at this particular moment, and it specifically precludes me from using MFA.

IIRC, there are some backup codes that were generated when I first activated the MFA. I was careless and neglected to save them. I suppose the safest place for those would be a notepad inside a fireproof safe in my house. But I don’t have a safe. I would probably store the codes in my web-based email.

[warning: I tried to avoid it, but I admit I went into a philosophical bent in this next paragraph. caveat lector]
There’s also the issue of physical security of the device itself. In the unfortunate possibility of a cell phone being stolen (or broken into), if the person has an app installed then the criminal will find out details about the person’s digital life. Now, I don’t think anyone is specifically going to hunt me down and break into my tiny website. But the potential security hole still remains. An email or SMS message can be received and then deleted, but the Google Authenticator app can’t be installed and then uninstalled every time. I get around this by using custom icons and labels (using Nova Launcher) as a sort of “steganography,” and it works. But not when my phone is broken…


#6

Been there, done that. (actually mine was dropped water… we’ll leave out where the water was, but I’m sure everyone can guess…)

I found then that there was a pretty simple solution for me:
1 - I always have a backup phone anyway. (Always charged and always ready to drop a SIM card in.) I just make sure now to have the Authenticator app already there and setup.
2 - I also added Authenticator to my iPad.
3 - I also put Authenticator on my wife’s phone.

3 backups, I should be covered.

It would be nice tho if dreamhost warned while setting up 2FA that you might want to think ahead, and maybe configure the app on more than once device. For THAT day… (we all have them sometime…)

It would be nice if the dreamhost documentation would suggest putting authent


#7

I can relate to your pain: my phone went in the (salty) drink and I had to reset all the MFA thingies… it wasn’t pleasant. Luckily I have an android tablet I could use while waiting for the replacement phone but, yeah, I didn’t print most of the backup codes so… I had to grab a bag of patience.

I’ve recently learned that there are many MFA providers that work anywhere Google Authenticator works. Authy, for example, seems to have a way to backup and synchronize https://authy.com/features/. Also https://1password.com and https://lastpass.com/auth/ seems to offer quite better user experience than the stock Google Authenticator.

Hope this helps.