undefined | Better HN

0 pointsjimktrains24y ago0 comments

I would argue that since the totp secret is never in my head it is not a password.

Sms hijacking doesn't "convert" anything anymore than someone with a telephoto lens "converts" an old-style hardware token to a password. (Yes, I know the p in otp is password, and called that because it's entered by the user. It's not a password in terms of a factor you "know" because it's time-limited.)

These are also fluid ideas that are used to describe roughly different failure modes for different types of authentication:

Passwords are thought of as things the user can disclose.

Totp and other "second factors" are thought of as things that must be stolen, or if disclosed have a very short viability time.

Biometric are things that can't be disclosed, but can be lost, and (and when properly implemented) not stolen.

You're trying to argue that these categories of authentication factors have hard lines and definitions when they're fluid categories being used to think about failure modes of a method. Each specific authentication method has its own strengths and weaknesses.

Also, sms hijacks require a lot more than simply "knowing" a phone number. While sim cloning and ss7 attacks are known and very possible, they're still fairly complex. You can also social engineering tech support at phone companies to activate your sim for an account, but that is also significantly more difficult than simply "knowing" a phone number and also a failure of the authentication the phone carrier is using.

0 comments

thaumasiotes4y ago

> Sms hijacking doesn't "convert" anything anymore than someone with a telephoto lens "converts" an old-style hardware token to a password.

I didn't notice this sentence before. Compare the issue of releasing photographs of master keys.

https://www.schneier.com/blog/archives/2012/10/master_keys.h...

Compare the (correct) comment from that post:

> the press has helpfully published a photograph of the keys, so you can make your own, even if you didn’t win the eBay auction.

with this official statement from the government of New York:

> “If you’re selling it, it’s in your possession for an unlawful reason,” said City Councilmember Elizabeth Crowley, chairwoman of the Fire and Criminal Justice committee.

( https://nypost.com/2015/09/20/the-8-key-that-can-open-new-yo... )

Saying "you're not supposed to have this" won't stop people from having it. These keys are regulated as if they are "something you have", but the facts are otherwise.

thaumasiotes4y ago

> Totp and other "second factors" are thought of as things that must be stolen, or if disclosed have a very short viability time.

TOTP gets set up in the first place when the website discloses your seed to you. It's not something that can't be disclosed. Seeds get disclosed all the time; workflows are built around it.

> Biometric are things that can't be disclosed

Huh?? Biometrics are things that it's impossible to avoid disclosing. If you're ever in a police station, they are free to sample your DNA. You shed it all over the place. If you ever handle something, you just disclosed your fingerprints. If there are any pictures of you out there, your face is public information.

> sms hijacks require a lot more than simply "knowing" a phone number.

I didn't claim otherwise. The intent of my sentence above is to say that a context which involves a working hijack attack converts an SMS challenge from a second factor into a password. If your attack is working, knowing the phone number is sufficient to authenticate as the victim.

j / k navigate · click thread line to collapse

0 pointsjimktrains24y ago0 comments

I would argue that since the totp secret is never in my head it is not a password.

These are also fluid ideas that are used to describe roughly different failure modes for different types of authentication:

Passwords are thought of as things the user can disclose.

Totp and other "second factors" are thought of as things that must be stolen, or if disclosed have a very short viability time.

Biometric are things that can't be disclosed, but can be lost, and (and when properly implemented) not stolen.

0 comments

thaumasiotes4y ago

> Sms hijacking doesn't "convert" anything anymore than someone with a telephoto lens "converts" an old-style hardware token to a password.

I didn't notice this sentence before. Compare the issue of releasing photographs of master keys.

https://www.schneier.com/blog/archives/2012/10/master_keys.h...

Compare the (correct) comment from that post:

> the press has helpfully published a photograph of the keys, so you can make your own, even if you didn’t win the eBay auction.

with this official statement from the government of New York:

> “If you’re selling it, it’s in your possession for an unlawful reason,” said City Councilmember Elizabeth Crowley, chairwoman of the Fire and Criminal Justice committee.

( https://nypost.com/2015/09/20/the-8-key-that-can-open-new-yo... )

Saying "you're not supposed to have this" won't stop people from having it. These keys are regulated as if they are "something you have", but the facts are otherwise.

thaumasiotes4y ago

> Totp and other "second factors" are thought of as things that must be stolen, or if disclosed have a very short viability time.

TOTP gets set up in the first place when the website discloses your seed to you. It's not something that can't be disclosed. Seeds get disclosed all the time; workflows are built around it.

> Biometric are things that can't be disclosed

> sms hijacks require a lot more than simply "knowing" a phone number.

j / k navigate · click thread line to collapse