Our local bank doesn’t have MFA for browser account access however they do provide face recognition on their mobile app. Claiming to have new online software coming this month so maybe finally get up to speed.
Thank you for mentioning the Yubikey limitations. Don’t recall anyone else bringing this to light.
I don’t think you’re both talking about the same thing. I believe what he was saying is that you can’t use MFA for the password manager itself. Which is the same thing I discussed before. MFA only works, for any password, if there is a site or server that is not the same one as the password is being input on. If it’s all done on the same device, an attacker can basically ignore the MFA.
What you’re discussing is using the password out of the password manager and then using MFA as well. There are certainly password managers that can roll them all into one, but I think what you’re suggesting is this is a bad idea, and I think I agree. This is a different topic that the safety of the password manager and whether you would use MFA to control access to it.
I’m confused here. What exactly do you mean by this. Are you saying NOT TO use MFA on your password manager because it has no value? It has value if someone has your password and tries to login to the website of your password manager.
I understand that MFA does not in any way protect the database. If someone gets that binary blob, all they need to do is phish your password out of you, and they’re in.
The Yubikey was designed at a time where MFA was not as popular. Now that there are plugins for most major web forum software and for CMS software like Drupal and Wordpress, adding TOTP support is as easy as dropping in a plugin and hitting apply.
That’s what got me to 52 different TOTP codes. And sites that support U2F with a Yubikey will almost always NOT allow you to turn off TOTP, so you still need it.
Correct, to the site you are authenticating against, you have MFA, but, because they are both on the one device, if that device is stolen and cracked open (the thief can access your safe and authenticator, because they are not locked, when it is stolen, or they use one of the many bypasses for biometric protections) or hacked remotely, they have both your passwords and your MFA codes.
That is what I mean by not having MFA, if both are on the same device. If you have a physical token as the MFA, they need to steal both the device and the token to get access to your accounts - of course, through the apps on the device, they have access to most of your accounts anyway, as they are usually permanently logged in.
My bank (Kreissparkasse) uses a token generator, I have to stick my card into the device and then it reads a code off the screen, which includes the recipient’s account number and the amount of the transaction and it generates a code for that one transaction that is unique - I also have to confirm the account number & value on the device, before it generates the code, so no man in the middle attack would work.
Our joint account (Deutsche Bank) uses an advanced QR Code (multi colour and much larger than a normal QR Code) to log in and to authenticate transactions, this is either a separate reader device, like my account, or an app on the smartphone.
Only partially, there have been various exploits of facial and fingerprint recognition over the years, or if they manage to steal the device in the window, where you have unlocked the apps and they haven’t relocked - there is usually a small window, for convenience, where they remain unlocked, so you don’t have to constantly re-open them, if you are swapping back and forth.
With some of the authenticator apps, which require FaceID or fingerprints, that is a half-way mitigation, but still not 100%. For normal use (device is clean and in your possesion), it is safe and you have MFA. If the device is hacked or stolen, you basically have to consider the MFA bypassed and get the authentication tokens re-issued immediately, the same with changing all your passwords.
It comes back to the same old convenience versus security, you trade off some extra security for the convenience - not having to fish a second device out of your pocket to hold against your phone / plug into your computer to get the MFA token. As long as the device is in your possession and not hacked, it is fine. For the case the phone is hacked or stolen, they theoretically have your passwords and your tokens, so you have to assume both are lost and react immediately to reset both passwords and tokens.
I used the phrase to make people think, but it is just a “worst case” situation.
Actually, I was saying that if you have both on the same device, it negates the MFA, in the event the device is stolen or compromised. I do use MFA for my password safe - I use a Yubikey.
Accessing the safe from the providers website is protected by MFA, once you have access to the encrypted blob and can copy it, you no longer need the MFA.
i.e. if you are trying to brute force your way into the someone’s cloud account, you need their MFA. If you have hacked the cloud of the password safe provider (a la LastPass), you already have the blob, so you don’t need to have the MFA token, you can just brute force for the master password on the blob in your possession.
If only the major sites would adopt it / there was an iOS app for it in the app store. Even now it isn’t there as far as I can tell