improving USB and 2FA

[cottsak]

some of this didn't read very well:

• cleared up the 2FA section
• added TOTP which is the answer where SMS is not
• removed the section about the "yubikey" USB 2FA alternative - this is contradictory advice when you're giving great advice at the start regarding banning USB devices (see my additionally clarification there too). it's just too hard to teach folks that some USB are ok but most are not. So keep it simple and use TOTP and ban all USB devices period!

[itaifrenkel]

@cottsak The issue with TOTP is that it causes alot of friction (rebellion is a better word). Especially when you need it over and over again. That's why push notifications are used.

Some employees would not harden their mobile phone, or would not use it for work purposes. What then? This is when you can introduce yubikeys. Device controls can be configured to allow ubikey and not storage devices.

I think that we should introduce all aspects of this, and let each company choose their culture fit.

[cottsak]

@itaifrenkel

I'm sure yubikeys are a great 2FA option. The problem I have is with the conflicting advice in the document. If on one hand you want folks to steer clear of USB devices (which is awesome advice) then, for most companies, it makes sense to make that sweeping and avoid yubikeys. If you don't, then folks won't know where the line is. There will form a "grey area" where some USB devices are ok but others aren't. As humans, we don't handle those types of complicated constraints well and eventually the guidance will relax and everyone will be using all sorts of USB devices hence defeating any gain with the initial "avoid USB thumb drives" you had to begin with.

If on the other hand you think the 2FA protection from yubikeys outweighs the physical access risks associated with the "don't use any USB devices" then you'd simply be wrong. 2FA is a "hardening" measure on top of machine-based authentication. Physical access almost exclusively results in machine-root level access and will always be the bigger risk.

If I were you I would reconsider the yubikeys advice. Like my PR suggests: keep things simple for readers and drop the conversation about yubikeys altogether.

[cottsak]

@itaifrenkel Now coming back to TOTP

The issue with TOTP is that it causes alot of friction

This sounds like personal experience more than fact.

TOTP codes are widely used and products like Google Authenticator aren't limited to the Google product offering - any application can use a TOTP code generator. I don't see what the "friction" or "rebellion" is. They are potentially not as smooth a UX as an sms with a code but if anything, it's a marginal cost. Once folks get used to the app they will be fine. Just like folks get used to pulling their RSA keyfob from their pocket before authenticating- it's the same. It's not a big deal and you will see more vendors swapping (or at least adding) to TOTP in the light of the recent NIST advice asking vendors to move away from it.

[gvangool]

@cottsak the problem is more that users don't want to use personal smartphones for work products. They feel that if the company wants them to use a TOTP app, that the company needs to provide the phone to run it on.

[itaifrenkel]

@cottsak I added (even more) text to the 2FA section. It's not as elegant, but it delivers the different tradeoffs discussed here better (I think). WDYT? (CC @gvangool )

[cottsak]

@gvangool how is that different for an SMS? You still need a phone for that

[itaifrenkel]

@cottsak Most employees won't say anything about SMS, TOTP and even push notification. About ~20% of them would start to feel uncomfortable when you ask them to lock their phone and encrypt it , in order to protect those apps.

The other objects are ofcourse usability (the fact that you need to take out your phone unlock it and push/copy numbers)

[cottsak]

@itaifrenkel no problem. I think we've made some good changes here. I'd be good to merge it in.