Hydro 2FA phishing improvement. Make it 100% secure.

[realquink]

Hydro 2FA is great but I don't see it as leaps and bounds of Google. Just my opinion but mainly because it can still be phished. But what if this weren't the case? What if we could claim phish proof? I think adoption would be easier to achieve if this were another feature in it. Face ID and Pin code logins recently added are great at stopping some attackers but that still won't stop the phishing ones.

Hydro currently creates one more step for phishers. So it is a little harder for a phisher but still can be phished. A Google phisher needs to have a user enter their site login then their auth code on a fake site and they then send it to the real site. A Hydro phisher would need to have user login input on their fake site, enter this on the real site then take the hydro code that is displayed and transfer it back to their fake site. The user would enter the code on their phone and then the attacker would have access.

So the extra step is grabbing the hydro code from the real site and sending back to their fake one.

I have 2 thoughts to improve this currently:

1. Add some captcha to the real site before the hydro code is displayed to prohibit a phishers script from dynamically grabbing the code and passing to his fake site. Maybe using Google's recaptcha? I'm thinking it may be the best option as its been tried and tested vs creating one from scratch.

2. This one isn't as well thought out. I didn't check out the HTML code yet that Hydro outputs. But randomly output the HTML for the hydro code so that a script can't be used to grab the ID or class names and transfer back to a phishers fake site. DIV or SPANs could be inter changed too so they also can't be grabbed as easily and output with IDs/Class names that have random numbers on them. Just not sure how styling would happen then, unless it was inline.

I would love to hear your thoughts on this too. What ideas do you have?

[MasterSensei]

I have proposed some ideas around Chrome extensions and Cloudflare integrations that would compare the whitelist to the site in the browser.

Also, having the app itself confirm the correct code via web hooks is in process for v2 of the app. This will make it very difficult to phish, because the site can't spoof the codes and pretend like they were entered correctly. The user would get a big red X on their phone if the site itself didn't match the phone.

[ReyHaynes]

@realquink @MasterSensei This phishing claim isn't exactly accurate.

The code that is requested to enter is a bit less relevant to what the Hydro 2FA is offering as protection. The message we send, to confirm a user is who they say they are, is done on a crypto signature hashed level. You can't exactly phish with the code on your phone itself.

For someone to successfully phish, not only would they would need a masterful scheme to deal with the fact that the code generated can only be used once, but more importantly...they would also need same exact HydroID enabled wallet account of the target, so the code they generate actually generates the proper matching signature. At that point, if someone has that level of information on you, then that's a way more significant issue.

[realquink]

@realquink @MasterSensei This phishing claim isn't exactly accurate.

The code that is requested to enter is a bit less relevant to what the Hydro 2FA is offering as protection. The message we send, to confirm a user is who they say they are, is done on a crypto signature hashed level. You can't exactly phish with the code on your phone itself.

For someone to successfully phish, not only would they would need a masterful scheme to deal with the fact that the code generated can only be used once, but more importantly...they would also need same exact HydroID enabled wallet account of the target, so the code they generate actually generates the proper matching signature. At that point, if someone has that level of information on you, then that's a way more significant issue.

I'm not sure you follow what I'm saying. You are tricking someone into entering a Hydro code (the 6 digit hydro code) that was phished from the real site but sent to the phishers fake one. This is the extra step I was talking about above vs normal phishing with Google 2FA. The only difference between Google and Hydro is the operation is swapped. Google you get code from phone and enter on site. Hydro you get code from site and enter on phone. So user enters the 6 digit code into their phone (from the fake site after it was grabbed from the real site). There is no crypto signature hash involved during this.

Unless what I'm saying isn't possible to transfer the code pulled from real site back to the fake one?

[realquink]

I have proposed some ideas around Chrome extensions and Cloudflare integrations that would compare the whitelist to the site in the browser.

Also, having the app itself confirm the correct code via web hooks is in process for v2 of the app. This will make it very difficult to phish, because the site can't spoof the codes and pretend like they were entered correctly. The user would get a big red X on their phone if the site itself didn't match the phone.

Awesome :)

[ReyHaynes]

@realquink

I'm not sure you follow what I'm saying. I'm talking about phishing. You are tricking someone into entering a Hydro code (the 6 digit hydro code) that was phished from the real site but sent to the phishers fake one. This is the extra step I was talking about above. So user enters the 6 digit code into their phone (from the fake site after it was grabbed from the real site). There is no crypto signature hash involved during this.

Actually, the cryptographically hashed signature is what makes the Hydro App hard to phish in the first place.

The 6-digit hydro code, even if a phishing site manages to get the code, is 100% useless to them unless phisher phone has the targets exact HydroID account.

Under the hood of the Hydro App and the Raindrop API, the information that actually gets past and compared is not the plaintext 6-digit hydro code, but a signature verified version of the code. The signature that is created is unique to each user based on the public/private keys created for the linked wallet the HydroID is bound to. Not only does a phisher have to get the code correct, but they would also need the same HydroID enabled wallet on their phone.

Creating a phishing page for the 6-digit hydro code would be utterly pointless.

[AnuragHydro]

@realquink

I'm not sure you follow what I'm saying. I'm talking about phishing. You are tricking someone into entering a Hydro code (the 6 digit hydro code) that was phished from the real site but sent to the phishers fake one. This is the extra step I was talking about above. So user enters the 6 digit code into their phone (from the fake site after it was grabbed from the real site). There is no crypto signature hash involved during this.

Actually, the cryptographically hashed signature is what makes the Hydro App hard to phish in the first place.

The 6-digit hydro code, even if a phishing site manages to get the code, is 100% useless to them unless phisher phone has the targets exact HydroID account.

Under the hood of the Hydro App and the Raindrop API, the information that actually gets past and compared is not the plaintext 6-digit hydro code, but a signature verified version of the code. The signature that is created is unique to each user based on the public/private keys created for the linked wallet the HydroID is bound to. Not only does a phisher have to get the code correct, but they would also need the same HydroID enabled wallet on their phone.

Creating a phishing page for the 6-digit hydro code would be utterly pointless.

If they've got the user on a false website, they can have the user input real credentials, pass those credentials to the true website, collect the 6-digit code from the true website and then pass the code to the user on the fake website. The user, not knowing, will sign the code from their phone - their verification will go to the true website, which is all the attacker needs. A hacker would need access to the wallet to reproduce the signature, but a phisher just needs to trick the unknowing user into sending the right message at the right time. Captcha or displaying the 6 digit code in an obfuscated/randomized format would possibly mitigate the risk by making scripted phishing difficult, but that's entirely up to the website's implementation - a website could do that today if they wanted, but at the end of the day, there are ways around captchas, so it wouldn't eliminate the risk entirely; actually, most likely it would do nothing because the whole captcha would get lifted.