- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Red Shazam
I realized long time ago that I don’t want my 2FA be tied to my phone number. And then i found you can’t export your data from Authy because they know they are scummy fucks and don’t want to anyone to leave
You can, though. But not through their app. Someone reverse engineered their protocol and wrote a program that connects like a new client, which you then approve, and it dumps all your random seeds into a text file. I then put them all into Keepass.
Edit: Unfortunately, the author has deprecated the project as Authy has added some attestations to their API, seemingly for this exact issue. https://github.com/alexzorin/authy?tab=readme-ov-file
‘hacked’. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.
Yeah. They got data in a way that was not intended. That’s a hack. It’s not always about subverting something by clickity-clacking like in the movies.
Exploit. The system worked as intended, just without a rate limit. A hack would be relying on a vulnerability in the software to make it not function as programmed.
It’s the difference between finding a angle in a game world that causes your character to climb steeper than it should, vs rewriting memory locations to no-clip through everything. One causes the system to act in a way that it otherwise wouldn’t (SQL injections, etc) – the other, is using the system exactly as it was programmed.
Downloading videos from YouTube isn’t “Hacking” YouTube. Even though it’s using the API in a way it wasn’t intended. Right-clicking a webpage and viewing the source code isn’t hacking - even if the website you’re looking at doesn’t want you looking at the source.
A missing rate limit is a vulnerability, or a weakness, depending on the definition. You’re playing smart without having an idea of what you’re talking about. Here you go:
https://cwe.mitre.org/data/definitions/799.html
YouTube videos are public, and as such it’s not really hacking. If you were able to download private videos, for example, it would be a vulnerability like “Improper Access Control”. It does not matter in the least whether you use an “exploit” in your definition (which is wrong) or “just increment the video ID”.
The result is a breach of confidentiality, and as such this is to be classified as a “hack”.
With due respect, you are wrong.
hack
…
- (transitive, slang, computing) To hack into; to gain unauthorized access to (a computer system, e.g., a website, or network) by manipulating code
Hacking means gaining unauthorized access to a computer system by manipulating or exploiting its code.
Exactly what this is. Read the disclosure. What about your response doesn’t fit that?
They did not do it by manipulating code. This wasn’t the result of a code vulnerability. If you leave the door wide open with all your stuff out for the entire neighbourhood to see, you can’t claim you were “broken into”. Similarly, if you don’t secure your endpoints, you can’t claim you were “hacked”.
Lack of rate limiting is a code vulnerability if we are talking about an API endpoint.
Not that discussion makes any sense at all…
Also, “not securing” doesn’t mean much. Security is not a boolean. They probably have some controls, but they still have a gap in the lack of rate limiting.
It is a vulnerability, but exploiting that vulnerability is not generally considered by security experts to be “hacking” in the usual meaning of that term in academic settings. Using an open or exposed API, even one with a sign that says “don’t abuse me”, is generally not considered hacking.
Well from a professional here: It is.
Does anyone have a suggested alternative for authy? (Please read the whole post before responding)
I’d love to go with an open source solution as I’ve done with my password manager, but that doesn’t seem possible with one of my big requirements:
Scenario: I’ve had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I’m able to log into my cloud storage and access my password database.
At this point I’d probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I’m not sure anything like that exists ready to go. I’m not particularly interested in rolling something myself for this.
I’d be dubious of jumping from one closed source product to another, but if there’s a particularly good option I’m all ears, I’ve been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.
Edit: added emphasis
Aegis is often recommended as an open source solution : https://github.com/beemdevelopment/Aegis
Interesting, I’ve seen this one before but it didn’t seem like it would support my deal-breaker scenario—I still can’t seem to see support for that on the readme, could you point me at some docs?
The point is you physically and locally back up the database. Put it on your computer, or a flash drive or whatever. You can set a different, longer password for backups, and I would recommend you do that. When you get your new phone, you just copy the database into it and load it into a freshly installed Aegis. You don’t even need to self host anything, there is nothing to host.
Not everything needs to be “in the cloud”. I think this event illustrates nicely why.
This is specifically a scenario where I’m starting from a single blank device because I’ve just been robbed on the other side of the planet.
Edit: for added weight, I’ve been in this exact scenario. I was able to get my ESIM reprovisioned to a new phone and recover everything within a day. I don’t want to replace authy with a solution that doesn’t cover that scenario
Well I thought this was kinda obvious what I meant, but I guess not. What you say is a requirement (sms recovery of a cloud account) is just one of many solutions to your specific problem. I’ll just list off a few solutions below that involve neither SMS (the most insecure communication method in common use today) and only optionally a cloud account. For cimplicity sake I’ll stick to Aegis, where you can create password-protected local backups you can then put wherever you want. This password needs to be very strong for obvious reasons: I would recommend a long sentence (40 characters or more) that you can just remember, like a quote from a movie/tv show/book/poem or something, including normal punctuation as a sentence for example.
Solution 0: This is more of a trivial solution I wouldn’t actually recommend. You can allow account recovery via eMail and have your eMail not use 2fa, but a long/good password so you can login from memory (see above). This is probably more secure than SMS for the recovery-case, but less secure for the everyday use case of eMail, therefore “not recommended”.
Solution 1: USB Sticks are tiny, as in the size of a USB port (slightly longer but slimmer for USB-C). If you want to have a backup “on you”, I’m sure you can find a place where it wouldn’t get robbed with the phone/wallet. A tiny pocket somewhere, a string around your ankle, make a compartment in your shoe, or just have it with your luggage at the hotel. I’m sure you get the point. You get your new phone, you plug in the USB, you install Aegis and restore the backup.
Solution 2a: Dedicated “online” storage. This can be self hosted, or a free account of any cloud provider, but the important part is that it does NOT require 2FA and you do NOT use it for anything else. You have the backup in there. It also needs a very secure password (again: long, but easy to remember, no garbled letter nonsense), but obviously not the same as the Aegis-Backup. So you now need to remember 2 long passwords. You get your new phone, you log in, get the backup and proceed as usual.
Solution 2b: If not having 2FA is not an option for the solution above, you can have a friend/family store the 2FA on his phone. To log in, you go to the login page and enter your password (which your friend doesn’t need to know), and you ask him over the phone for the current 2FA-Code, which he tells you and you can log in, download the backup and proceed as above. I assume such a high security isn’t that critical, since you have been using something involving SMS. Restore then goes as per usual.
Solution 3: Store the whole backup with a friend and when you need it he just temporarily puts it somwhere you can access, and removes it again after. Since the backup is protected by a monster of a password, and the accessibility is temporary anyway, this isn’t security critical.
Solution 4: If you absolutely must, you can find a cloud-provider for 2FA, and use it only as the “first stage”. The only 2FA code in there is the one you need to get access to your main online storage/account where you then have your real Aegis-Backup and/or other files. Obviously this service would need to allow you to login without 2FA, and the usual password rules resulting fom that apply. You can just add the 2FA of your primary service to more than 1 app or service, or if it allows for this, you can generate multiple authenticators so you can also revoke them serperately if needed.
Well I thought this was kinda obvious what I meant, but I guess not.
Alright, drop the sass, if it was obvious your post wouldn’t be the length it is. Now chill, I genuinely appreciate your response
0, no go
1, also a no go, I can’t guarantee I’ll have an extra thing
2a. No 2fa, so this is a reduction in my current security
2b, this could be workable, I already self-host a number of services, but I want to be sure situational neglect (i.e. life is too busy for me to pay attention) cannot compromise this, therefore it’s gotta be a turnkey solution that I can configure to auto update, which is what I’m asking for in my comment. I need your specific solution for this, generalisms are useless here.
3: Not workable, I can’t rely on someone else being able to help in every possible scenario (and tbh I wouldn’t want to put that responsibility on someone)
4: This is a pretty good one tbh, though I guess if I’m going to pick holes, if the first stage is good enough as the gate, it diminishes the reason to have the second stage, so I’d wonder what you would suggest that could tick all the boxes for that first gate.
Edit: weird numbering formatting to combat lemmy formatting doing weird things
Now that authy has fucked us over with this, what should I move my 2fa codes into, any recommendations?
Unfortunately I can’t use aegis on iOS/windows, does keepass have this functionality?
Buy a few (at least 2 for a backup) yubikeys.
Much more secure.
You can store the TOPT codes on them, but then you can also do all the higher security things too.
No one’s breaking into your Google account if you secure it with those keys and remove the sms backup method unless they’ve physically stolen the yubikey