![]() That’s $1B of security R&D on your side.Īnother way to think about it is that on-device TOTP is “something you have” just like a saved password is something you have. If the TOTP shared secret is in the iPhone secure element and protected by the iOS sandbox, no consumer application could reasonably ask for anything better than that. Better than SMS codes, for sure.Ĭould the TOTP shared secret be stolen if it’s kept in a file on my desktop? Of course! But that fundamentally changes the attack vector from the typical password spraying attack because now an attacker needs to directly target me and compromise my machine. But it’s definitely 2FA and it successfully protects against the attack vectors that adding a “something you have” factor is designed to protect against. You can argue my TOTP shared secret may or may not be secure enough from malware. If I install a TOTP generator on a machine and setup 2FA on a 3rd party service, and I then later login with a password and a 6 digit TOTP code, that is definitely 2FA. What version of Yubikey do you have Lastpass works only with Yubikey 5. ![]() They are designing for a corner case which makes the primary case too complicated. It’s entirely unnecessary since both devices are already online. I don’t want to have to establish NFC or Bluetooth from my iPhone to my desktop to enable me to use my iPhone to authenticate on my desktop. If I’m adding a “something I have” factor to my authentication flow (or even making it the only factor) it’s going to be the phone hardware itself, not an extra dongle thing I have to carry around.įIDO’s upcoming CTAP unfortunately is going about it the wrong way, IMO. The days are numbered for this whole idea of a separate piece of hardware USB/NFC to do authentication. I trust the secure element on the iPhone a lot more than I trust the hardware on the Yubikey. ![]() sorry, it makes absolutely no sense at all. Using a hardware token to authenticate to an app on an iPhone makes about as much sense as. If I’m authenticating with “something I have” then why not use the iPhone itself which also happens to add a layer of “something I am” (FaceID) as well as easily supporting entry of something I know (PIN or password). ![]()
0 Comments
Leave a Reply. |