5

Two factor authentication is so much harder to break than just a password, and token generators are getting stronger and stronger. Why are we worried about the quality and rotation of passwords when we can just use 2FA and be done with it? It's working well enough for the video game industry at preventing stolen accounts. Why isn't it good enough for the work place?

user150945
  • 51
  • 2
  • 5
    Recent guidance from the US and UK governments tends to suggest that password rotation be avoided, and that complexity rules may result in less secure passwords than would otherwise be the case. Therefore, the answer may just be that workplaces are slow to adapt... – Matthew Jun 14 '17 at 14:23
  • The point is that it is still required in a lot of standards, regardless of how effective it may or may not be – schroeder Jun 14 '17 at 14:47

1 Answers1

3

Two factor authentication is so much harder to break than just a password, and token generators are getting stronger and stronger.

This entirely depends on your 2FA method your org allows.

If your org allow SMS for 2FA it has well documented vulnerabilities such as vishing the service provider and essentially stealing the phone number to receive OTP SMS to: https://www.youtube.com/watch?v=lc7scxvKQOo (2:29)

And/or attacking the protocols directly such as SS7 exploitation: https://arstechnica.co.uk/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/

Then you have interception / phishing attacks which can allow circumvention of 2FA methods as detailed here: Attacker circumventing 2FA. How to defend?

The only "saving grace" at this time would be using FIDO U2F however (https://fidoalliance.org/) where supported has not AFAIK had a compromise on record (if anyone is aware of circumvention for FIDO U2F please comment).

Why are we worried about the quality and rotation of passwords when we can just use 2FA and be done with it?

Password complexity is still important and I wrote about this (using some napkin math) here https://blog.oneiroi.co.uk/passwords/security/something-you-know/passphrase-or-complex-passwords/ and should not be discounted as "not required".

If you set your password to 12345 (one of the most common passwords in 2016) it's effectively one less layer of protection an adversary / hacker needs to contend against (as it is trivial to circumvent at that point).

Security in this case (and most cases) needs to be applied in layers, no one layer being more or less important that the other (your wanting to make it as difficult as possible for an adversary/hacker).

Password rotations is as far as I am concerned a "stop gap" measure usually where organizations would or could not apply an additional layer in 2FA or MFA.

Which then many standards jumped on the proverbial hype train and now require this.

There are studies and articles which suggest that regular password changes actually work against the security of the account due to users developing bad behaviors (the problem of the human). (e.g.https://www.wired.com/2016/03/want-safer-passwords-dont-change-often/).

AFAICT standards have not taken these into account at this moment in time.

Assuming your org serves a client base, you may have clients which require in the business agreement between your org and the client there to be password rotations.

Sure it's a PITA but is it really a crusade you feel you can take on without detriment to the org you work for and perhaps loosing a few clients along the way ?

And really if there is no client paying the org, in all likelihood you will not at the end of the day have a job.

Oneiroi
  • 260
  • 1
  • 7