zlacker

[parent] [thread] 2 comments
1. nextos+(OP)[view] [source] 2022-01-27 19:44:33
> 1. No more SMS and TOTP. FIDO2 tokens only.

SMS are bad due to MITM and SIM cloning. In EU many banks still use smsTAN, and it leads to lots of security breaches. It's frustrating some don't offer any alternatives.

However, is FIDO2 better than chipTAN or similar? I like simple airgapped 2FAs, but I'm not an expert.

replies(1): >>tptace+Q
2. tptace+Q[view] [source] 2022-01-27 19:47:44
>>nextos+(OP)
The major advantage of FIDO2 is that it's difficult to phish. SIM cloning is not the primary reason organizations are now advocating against SMS 2FA.
replies(1): >>tialar+kZ
◧◩
3. tialar+kZ[view] [source] [discussion] 2022-01-28 00:32:25
>>tptace+Q
In particular [Thomas knows this, for anybody else reading], WebAuthn (the way you use FIDO for the web, U2F is a legacy system for doing the same thing that you should not use in greenfield deployments) recruits your web browser to defeat phishing.

When you use WebAuthn to sign into an site the browser takes responsibility for determining which site you're on, cutting out the whole phishing problem of "Humans don't know which site it is". The browser isn't reading that GIF that says "Real Bank Secure Login" at the top of the page or the title "Real Bank - Authenticate" or the part of the URL bar that says "/cgi-bin/login/secure/realbank/" it is looking only at the hostname it just verified for TLS which says fakebank.example

So the browser tells your FIDO authenticator OK, we're signing in to fakebank.example - and that's never going to successfully steal your Real Bank credentials because the correct name is cryptographically necessary for the credentials to work. This is so effective crooks aren't likely to even bother attacking it.

[go to top]