SurajGupta
commented
8 years ago Somewhat related to: https://github.com/mattrubin/Authenticator/issues/6
Open abulgatz opened 8 years ago
SurajGupta
commented
8 years ago Somewhat related to: https://github.com/mattrubin/Authenticator/issues/6
abulgatz
commented
8 years ago Somewhat related, but I would consider backup and sync to be different enough for a separate topic/issue.
mattrubin
commented
7 years ago I have avoided implementing any sort of sync because of security concerns – both the token secrets existing on multiple devices, and also my own ability to write a secure syncing solution.
I'll give this more thought as I also look into backup and restore.
algesten
commented
7 years ago Personally I don't store passwords in the keychain, so it would make sense for me to just have the tokens automatically synchronizing that way. But I may be the odd one out.
Wouldn't a simple solution be to just have a setting, perhaps even per token, of whether to store that item in a synchronized keychain or local?
beaucollins
commented
7 years ago I like Authenticator because it adheres to the spirit of Multi-factor authentication which ties the factor to a physical object (my phone):
Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).
With the way Authenticator works, to authenticate as me you must be in possession of my phone. That's it. And since I have Touch ID enabled immediately on device lock I have all three categories covered:
I think syncing the secrets behind the authenticators fundamentally breaks this. If the secrets get into my iCloud keychain then you potentially no longer need to have my phone. At the moment I highly trust Apple's iCloud Keychain sharing but I still don't want to put my second factor secrets in there.
There are two UX problems to solve that I think syncing is the wrong solution to:
Solutions to 2 should not use The Cloud™. Encrypted backups as they work now do this. A potential other solution is exporting a PGP encrypted file of the secrets that I can share with myself.
Solutions to 1 should treat the Authenticator app as a service that can send generated codes (not secrets) that require my physical presence with the device.
algesten
commented
7 years ago Solutions to 2 should not use The Cloud™. Encrypted backups as they work now do this. A potential other solution is exporting a PGP encrypted file of the secrets that I can share with myself.
Aren't you being a bit black/white here? I understand that cloud options must be carefully thought about and should not be a default. However for my use case (which was to transfer from one device to another), I would definitely have "risked it", since I don't store anything else of importance in the Keychain.
"The Apple Way" of getting from one device to another are:
Personally I have experience of supporting users with scenario 1 and 3. Our app used to rely only on 1, and I can vouch for that it is a big pain to explain to users under what scenarios their data is backed up. The little detail about password protected iTunes backups often eludes the user.
When we finally introduced 3, an explicit backup action that writes to iCloud drive, our life got so much easier.
I think Authenticator should give the user a choice, like an explicit backup action, or keychain sync.
abulgatz
commented
7 years ago I've switched to using 1Password for my one-time passwords. I've been a long-time user, and didn't know they supported his. This gives me the sync I want across my devices, with some extra security.
I understand that 2-Factor when used in this fashion isn't really 2-Factor, but rather 2-Step. But it also isn't 2-Factor if you store your passwords on the same phone as Your authentication app as I do anyway in 1Password. My 1Password on my phone is protected by my fingerprint, and every 24-hours requires my full master password.
What 2-step gives me is protection from typing passwords into untrusted machines, protection from network snooping, and protection from shoulder-surfing. If someone gets one of my passwords, unless they can also get into my synced 1Password (less likely then just getting a site password but not impossible) I am still safe. Or at least I have longer to reset everything.
beaucollins
commented
7 years ago I think Authenticator should give the user a choice, like an explicit backup action, or keychain sync.
I was being too black and white I suppose. I like the idea of Authenticator being opinionated about security and keeping my secrets on my device and letting me choose about how severe I want to be about security while being as secure as possible by default.
Any chance of adding syncing between Devices like Authy does? Or writing a Mac/PC app and syncing with it?
I understand that this hurts security, but it makes 2FA livable on my ~30 accounts.