Authy got hacked, and 33 million user phone numbers were stolen - eviltoast
  • AlexanderESmith@social.alexanderesmith.com
    link
    fedilink
    arrow-up
    12
    arrow-down
    2
    ·
    edit-2
    6 months ago

    Stop. Trusting. Cloud/SAAS. Security. Apps.

    Don’t give them your passwords and private keys, because you can never know of they’re being stored responsibly, or who has access to them.

    Don’t give them your personal details, they don’t care about protecting user anonymity.

    Keep your keys and passwords in local, encrypted files, and generate your TOTPs locally.

    “But that’s not convenient!” - It’s plenty convenient, find an app that supports your phone’s biometrics. There are plenty on both Android and iPhone that also work in Windows/MacOS/Linux.

    “What if I lose my phone?” - Keep your files backed up. If you don’t do this, you deserve to get locked out. Fear of losing data is a good thing, it keeps you vigilant. Apathy gets you another of these stories.

    There are plenty of apps that encrypt local storage for security keys and code generation. Stop allowing these tech bros to create honeypots catnip for hackers, and making you pay them for the privilege of being an easy target.

    Edit: I’ve been using “honeypot” wrong. It would actually be good if the hackers tried to hack one of those.

    • 9point6@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      1
      ·
      6 months ago

      “What if I lose my phone?”

      I’ve referenced this scenario in a comment elsewhere in the thread. You’ve missed the problem in your solution.

      A backup is useless if I can’t access it when I need to. In the scenario where I’m far from home and have only got a replacement phone to work with, I need a way to access my OTP database (with only my phone number as a 2nd factor, thanks to ESIM provisioning) so I can get to my cloud storage for my password database.

      This is a real scenario that doesn’t seem covered by most options and people seem to keep glossing over it (And before anyone says that’s not likely, I’ve been in that exact scenario before)

      • AlexanderESmith@social.alexanderesmith.com
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        6 months ago

        Who said you shouldn’t be able to access your backups remotely?

        A lot of tools allow you to set up google drive, drop box, whatever. Yes, this brings you back to cloud, but it’s better to have a hacker wonder if some random google drive might have juicy auth data than know for sure that some SaaS platform absolutely does. Also, even if they got the file, it should be encrypted, and should be a massive pain to get into (at least long enough to change the passwords stored in the file).

        The other (better) option is to have it back up to sftp (or similar), which you manage yourself on private servers. Normally this would be accessed through RSA and/or TOTP, but you can set up secure backup methods (combo any/all of; port knocking, long-password, human-knowable timed password, biometrics, security questions, other trusted humans that have some TOTP that can’t open your storage alone, etc).

        • 9point6@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          6 months ago

          Right, I get that and that would 100% be part of the solution, but I’m not going to have my cloud storage protected only by a single factor.

          Specifically I’ve kinda happily landed on Authy’s SMS being the 2nd factor in that scenario (and that scenario alone as it’s generally one of the worst 2nd factors) because I know I can get my ESIM reprovisioned with a phone call to my provider. Plus Authy won’t just give me access with an SMS alone, there are verification steps before they will let me access it, which adds piece of mind given the reduced security of an SMS OTP.

          I’m not interested in cobbling together my own “secure” solution, I would happily host something ready to go (seems like bitwarden might be a front runner here), but I’m not going to trust my glue is perfect if I’ve had to do much more than pull a container and set-up a reverse proxy. I cannot guarantee I have the time to patch vulnerabilities manually, etc.

          • AlexanderESmith@social.alexanderesmith.com
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            6 months ago

            Whoa there, I never have - and never would - suggest that anything should be protected by a single factor. Where are you getting that?

            Authy sucks. It’s not just that the TOTP they send you might not be secure (SMS is easily exploited), it’s been shown that they’re leaking other personal data.

            You don’t have to cobble anything together. As you say, self-hosted BitWarden is a good option. As for your “glue”, you should trust it more than a third party, since you know what went into yours, and its not a massive honeypot treasure trove.

            Edit: I’ve been using “honeypot” wrong. It would actually be good if the hackers tried to hack one of those.

      • ruse8145@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        Syncthing across all of your devices. Use your desktop or other home PC to sync to a secure cloud service using rsync or freefilesync on a schedule. If you know all the words I just said it’s like an hour of work, if not it’s probably 4-6 (piecemeal, not a block).