{"id":1185,"date":"2017-02-24T16:54:00","date_gmt":"2017-02-24T16:54:00","guid":{"rendered":"https:\/\/trouble.org\/?p=1185"},"modified":"2017-02-24T16:54:00","modified_gmt":"2017-02-24T16:54:00","slug":"how-many-factors-anyway","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=1185","title":{"rendered":"how many factors, anyway?"},"content":{"rendered":"<p>I&#8217;ve been using Google&#8217;s 2 factor authentication for awhile now, it&#8217;s simple to use and seems effective (and is probalby the most commonly used 2F on earth.) But how many factors is it, really?<\/p>\n<p>But perhaps I could try to distill this even a bit more, and go radical\u2026 is the 2nd factor really necessary or just a productivity hit\/distraction?<\/p>\n<p>Once per month or so it dutifully asks me to type in a password\u2026 but most of the time it\u2019s really sort of a zero factor auth device, assuming you\u2019re sitting at the keyboard.<\/p>\n<p>But the 2 factor is really a bit oddly named\u2026 because really it\u2019s something like a 1+2 factor, because I have a mobile device (my wife finally got tired of me having no phone and bought me one, ack!) and a password, but I really only use the 2F when I\u2019m on a laptop (or workstation at home), almost never on my phone, so it\u2019s password+phone+device.<\/p>\n<p>But it\u2019s not even 1+2, because 98% of the time I only have to login to my laptop (splash screen) and I\u2019m in &#8211; once it fires up I can go to all the sites and places I frequent, including the ones with the keys to the infrastructure (e.g. the google console for their GCE environ), etc.<br \/>\nTo get onto the laptop you can either type a password or hit the (rather charming, I\u2019ll admit) little tactile LCD strip on the new macbooks that claim to save your fingerprint (cue the <a href=\"https:\/\/www.schneier.com\/crypto-gram\/archives\/2002\/0515.html\" target=\"_blank\">gummy bear army to attack<\/a>!) <a href=\"https:\/\/trouble.org\/uploads\/2017\/02\/gummy-400x400px.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-full wp-image-1187\" src=\"https:\/\/trouble.org\/uploads\/2017\/02\/gummy-400x400px.jpg\" alt=\"gummy-400x400px\" width=\"400\" height=\"400\" \/><\/a><\/p>\n<p>So really I claim that most of the time I only use a single password or a faux-fingerprint, but the security locus really is around my computers; if you can compromise them the other two factors, the ones people generally call my 2 factors, don\u2019t even come into play. If there\u2019s a vulnerability that allows code execution on one of my boxes, you\u2019re in.<\/p>\n<p>You can surely say (and stop calling me\u2026) that I\u2019m misusing 2F, but I suspect that this is how most use it today in the unwashed vernacular masses.<\/p>\n<p>A long winded way of saying your \u201cwhat you know\u201d in at least Google\u2019s two factor is pretty worthless most of the time. It only seems to come into play when &#8211;<\/p>\n<p>&#8211; your time is up (every 30 days or whatever)<\/p>\n<p>&#8211; your Google seed\/key\/whatever has been compromised (that\u2019s when it really<br \/>\nwould matter\u2026 and I really haven\u2019t read too much about how easy\/difficult<br \/>\nthat is\u2026 I\u2019d presume if you clone a phone\/copy its disk you\u2019d have it,<br \/>\nbut perhaps it\u2019s trickier than that, using the device ID or something?<\/p>\n<p>Even the &#8220;what you have&#8221; doesn&#8217;t normally come into play, 99% of the time it&#8217;s actually dependent the device I generally use to do work which has pretty much nothing to do with the 2F.<\/p>\n<p>Anyway. Slow Friday. Need more caffeine, amphetamines&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve been using Google&#8217;s 2 factor authentication for awhile now, it&#8217;s simple to use and seems effective (and is probalby the most commonly used 2F on earth.) But how many factors is it, really? But perhaps I could try to distill this even a bit more, and go radical\u2026 is the 2nd factor really necessary [&hellip;]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[260,116,4,6],"tags":[351,350,349,318],"class_list":["post-1185","post","type-post","status-publish","format-standard","hentry","category-crypto","category-risk","category-security","category-tech","tag-2f","tag-authentication","tag-gummy-bears","tag-security"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1185","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1185"}],"version-history":[{"count":2,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1185\/revisions"}],"predecessor-version":[{"id":1196,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1185\/revisions\/1196"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}