How much benefit is there to two-step verification for Dropbox, Apple ID, etc.?
Before I begin, I did read (and re-read) the blog posting on this by you folks that seems to imply that two-factor auth is only really needed if you don't have a 'good' primary password. And we all do. Especially on Dropbox. And I do, it's a maxed-out 1P complex one.
So, is that really true? Does two-factor auth do nothing for us? I do have it on my primary gmail account, since that's critical to security for all the other accounts (as that's where the 'verification emails will go if someone changes something...). But is having two-factor on an account where the password is 'completely unique' (I hate that term... :) ) really redundant?
Just trying to see that there is really no point to adding it to Dropbox. I would think that even if someone (1) has the hashed/salted password file and (2) then cracks my password [which would take a long time], they still couldn't log in with it if two-factor was on. But is the gain of having two-factor then like the 128 bit-256 bit gain, and not worth it at all? (See, I read the blog... :) ).
Thanks!
-Lee
Comments
-
Good question. I've asked Jeffrey to clarify. I don't personally use two-step verification for Dropbox since I find it to be too much of a hassle for relatively little gain. But I am also interested to know what else Jeffrey could say on this.
0 -
Great question!
It would be silly to say that it does nothing for you. But the major threat it defends against is not one that 1Password users really face. It's always possible to imagine a threat for which this would matter for us. Passwords can be stolen through shoulder surfing, or through an SSL failure.
Personally, I don't find those threats to be enough of a worry for me to use Dropbox's two-step verification, but that isn't a decision that I can make for you.
I really think Dropbox got it right with this system. It is a good option to offer people and guide people toward. But the marginal gains for someone who is already using a strong and unique password are limited. For people who are reusing ther Dropbox passwords elsewhere, the marginal gains would be substantial.
Cheers,
-j
0 -
Thanks much! I've been doing computer security for a while (but not at the depth you all do, of course), and thought I was perhaps missing something. If the passwords are unique and "impossible", I think two-factor is, really, overkill. Appreciate the feedback!
0 -
I don't think that two-factor authentication is overkill at all. Speaking as someone who's going through proceedings with identity theft, the more security the better.
0 -
Joe, I think I agree if there's any way for people to get their hands on the passwords physically. For me, anyway, the complexity of a long 1P password is good enough. I can see where you could want to add it (two factor) to be sure in special cases. If you have 'bad passwords', I'd say it's mandatory!
0 -
Joe,
I'm really sorry to learn about your identity theft issue. Do you know how it happened?
As I said, the particular risks that Dropbox's two-step verification handles are threats that people who use a strong unique password for Dropbox don't face to a substantial degree. But again, a strong, unique password doesn't completely eliminate all those threats, so there is some (limited) value to it. If you find that sufficiently valuable go for it.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com0 -
I would disagree with Jeffrey on this one. I have dealt with IT security issues in the military, regulated industries, and now in academic research and would say that using two-factor verification is the way to go in any case it is offered. It does provide a stronger level of protection, not just in Dropbox's case but with things like gmail (as mentioned above) and banks.
Jeffrey mentions shoulder surfing and SSL failures as reasons a two factor verification might be needed. "SSL failures" is a fairly broad category and I doubt many people would understand just how many places SSL doesn't do exactly what they think it does. For instance, many mobile web browsers (Safari, Opera, Kindle, and others) now use cloud-side proxies to do compression and acceleration for them, it makes your web browsing experience on a mobile device much faster. However, your SSL transactions go through those proxies as well. How? It is called a man-in-the-middle attack only in this case it isn't intended as an attack, and it just so happens the proxy can see your password. If you work for a reasonably large company with a solid firewall/proxy they are almost certainly using a MTM capture as well (for "security" reasons of course) that means they are logging your password every time. You can google around for places to check your current browser, but it is "normal" behavior.
Two-step/factor authentication is not a perfect solution, it can be hacked as well (especially if you start chaining accounts together, a whole separate issue), but it is better than a single factor - even if that is a very strong/secure password.
0 -
For instance, many mobile web browsers (Safari, Opera, Kindle, and others) now use cloud-side proxies to do compression and acceleration for them, it makes your web browsing experience on a mobile device much faster. However, your SSL transactions go through those proxies as well.
hopefully we will hear some comment about this from Jeffrey and I'm particularly curious about the 1PW browser for IOS devices and whether there are such vulnerabilities.
0 -
I don't think @fienx and I are really disagreeing on the fundamentals. S/he and I both agree that shoulder surfing and the very broad category of SSL failures exist, and remain a risk. I suspect that we also agree that the overwhelming instances of password capture is from weak and reused passwords. So when I think that we will agree that using a strong and unique password for Dropbox eliminates most (but not all) of the risk that their two-step verification is designed to address.
The only difference is whether we feel that the remaining risk addressed by two factor auth with Dropbox is substantial enough to merit the hassle. That is a decision each individual has to make. That @fienx and I make different personal choices in that case doesn't have to mean a fundamental disagreement.
I may not be up-to-date, but I believe that neither the Kindle, Mobile Safari, nor Opera are conducting a Man In The Middle on HTTPS with their proxying. Nokia, however, was. After that came to light, they issued an update that fixed that. (They still know which sites you visit, but they no longer have access to the content of the HTTPS traffic. They are still proxying, but they are no longer decrypting and re-encrypting.)
But in those cases, we need to remember that we are already trusting Nokia's client, which could capture passwords and browsing behavior at the client level instead of needing the Man In The Middle. If Amazon, or Apple, or Opera, or Nokia wanted to get your passwords, they could grab them straight from the browser they provide to you. The don't need to grab it off of some proxy system they run. This, of course, might be an argument in favor of using two factor authentication. (Well, actually an argument in favor of one-time passwords that are part of the "second factor").
So while the SSL failure of that sort of things is very real, it doesn't necessarily expose people to a risk that they weren't already exposed to. After all, Nokia users were using a client that that was designed to be vulnerable to a specific Man In The Middle. It was designed to accept a Nokia certificate for non-Nokia sites.
For those who don't know what I mean by "Man In The Middle" take a look at an article from a couple years ago on how someone (presumably the government of Iran) was running a MitM attack on Gmail users in Iran.
I'm not at all trying to be dismissive of the concerns raised. There is a lot about the entire SSL infrastructure that I am profoundly unhappy with. I certainly never wanted to say that using Dropbox's two factor authentication adds no security value. The "one-time password" aspect of it, protects people against a broader class of attack (such as malicious clients).
If I find that there have been log in attempts to my account from systems I don't recognize, I will definitely be re-enabling two-factor authentication.
Sadly there are very few definitive answers for security questions. I am not saying "don't use it" nor am I saying "do use it". I'm saying that before you decide, please recognize that a large portion (but not all) of the problem it is designed to address is already addressed by using a strong, unique password.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com0 -
If I find that there have been log in attempts to my account from systems I don't recognize, I will definitely be re-enabling two-factor authentication.
How does one determine how many logins have been attempted from unknown systems? I would be very curious to know.
Thanks and regards,
0 -
I know Google and Facebook will email you if there is an unusual login attempt. Not sure about other services offhand. They are all different. As far as I know, there is no standard for this sort of thing.
0 -
I think Jeff probably has more to say about this, and he wrote about it a bit on our blog in his "More than just one password: Lessons from an epic hack". However, the issue in Mat Honan's case was that the password reset policies in place at certain companies were exploitable. Presuming that those social exploits have been resolved — and the companies have stated that they are — two-factor authentication remains most useful for folks who are reusing passwords.
0