2-factor authentication - Who am I trusting?

Question

I'm confused about the risks of 2-factor authentication.

I'm a developer, who has to do some ops, and considering turning it on for my DigitalOcean and GitHub accounts. Both offer TOTP(?) and indicate Google Authenticator. Great.

Then I read some FUD about Google Authenticator and looked for an alternative. There's Authy and a bunch of others.

Ok, now I'm wondering what level of Trust I'm giving my 2-factor provider. I've never heard of these alternative companies.

1) I think any authenticator can't access my accounts because they don't have my username/password. Is that true? If they are compromised or a bad actor, what is at risk?

2) What are some simple industry best practice TOTP apps? Is Google Authenticator in the top 3?

Answer 1

A TOTP (Time-based One-Time Password) authenticator app will not have your username and password. What it will have is a secret token that is used to generate a specific pseudo-random sequence of numbers that changes based on time (typically every 30 seconds). The app need not even have any network connectivity itself - that is just for backup purposes in case you loose your phone. It's job is simply to compute, for the current time, what the pseudo-random number should be. The site you are logging into will have the same token stored and associated with your account, and will compute the same pseudo-random value at any given time. Thus, when you log in, it asks for the current value being displayed by the app.

Who are you trusting?

In general, the answer is 'no one', which is good:

• Edit: Of course, you are always trusting that the app you have installed on your phone does what it claims to do, doesn't have nasty security vulnerabilities, etc... You can't ever really trust "no one" when it comes to computing unless you start from scratch (as in sand) and make your own computer hardware yourself ;-)

• Google Authenticator only stores the tokens locally on the phone. If your phone got hacked, somebody would have your TOTP tokens, but other than that, you're fine.

• Authy apparently encrypts the tokens locally on your phone using a password you enter, so that they are just storing an encrypted blob for you (see their blog posting on this for details). That means that even if Authy's servers got hacked, nobody would be able to determine your TOTP tokens unless they guess the password used to encrypt them.

• Even if somebody got your TOTP tokens, that only lets them defeat the second factor: it doesn't give them any information about your username/password.

** Best Practice Apps**

As to best practices, here are some thoughts:

• This posting favors Authy and seems to give a clear explanation of the problems with Google Authenticator, as well as some info about features that you would want. In screening a potential candidate, it seems that the list of desirable features would include:

  1. A way to de-authorize a particular device if it gets lost
  2. A way to back up your authentication tokens, in case your phone gets wiped. This backup method should encrypt the tokens locally on the phone with a key/password that the entity doing the backup never gets: otherwise your are trusting them to not give your TOTP tokens to a bad guy. Again, this is about TOTP tokens and is completely separate from your username and password.
  3. The ablilty to de-authorize one device using another, in case the device is lost/stolen. This would mean that each device has it's own TOTP tokens (not the same token shared across multiple devices).

Answer 2

Well, the rather interesting conundrum with 2FA or multiFA is the endpoint and how the tokens traverse through the network. If you use google's SMS service or authenticator, notice how the shared secret key is passed. At the weakest link, at least for SMS services, if the telco stores the SMSes, and has access to your stream, then you will have to trust the telco or whomever to not use your shared cookie as well as the authentication code to access your account. With a compromised phone, you're also looking at someone who can read the sms, as well as your passphrase.

Answer 3

First of all, any time you install any software of any variety, you're trusting the author of that software. There's no way around that. You're trusting that the author isn't malicious, that he isn't sloppy, that he knows what he's doing, that his implementation is correct, and a dozen other points as well.

Likewise you're trusting the site owner in a lot of the same ways. Beyond that, it's just math. You're trusting the math.

Google Authenticator is arguably as trustworthy as is possible as the company is well-established and has built a reputation on its tools and services being bulletproof. There is literally no incentive for them to cheat, and a strong incentive (and ample resources) to create a well-designed solution.

But they make some security decisions that a lot of people find inconvenient (like disallowing export of keys). So that could be reason enough to use an alternative.

I would hasten to point out that if at all possible, use the U2F token. I personally use it and am very satisfied with the experience. While TOTP/HOTP is really good, U2F takes it a step further providing absolute protection against phishing -- something no other product I'm aware of can claim. U2F was designed specifically for this purpose, and it really does make a difference. Just 2 weeks ago I encountered a report from a victim who was using TOTP but was tricked into typing in his authenticator token in a phishing attack, and lost control of his account. U2F would have protected him.