←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 3 comments | 27 Jan 22 15:06 UTC | HN request time: 0s | source
Show context
Terretta ◴[27 Jan 22 19:40 UTC] No.30105267[source]
I'm not sure that ...

> “discontinue support for protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications."

... necessarily means TOTP.

Could be argued "supply" means code-over-the-wire, so all 3 being things with a threat of MITM or interception: SMS, calls, "supply" of codes, or push. Taken that way, all three fail the "something I have" check. So arguably one could take "supply one-time codes" to rule out both what HSBC does, but also what Apple does pushing a one-time code displayed together with a map to a different device (but sometimes the same device).

I'd argue TOTP is more akin to an open soft hardware token, as after initial delivery it works entirely offline, and passes the "something I have" check.

replies(1): >>30105736 #
kelnos ◴[27 Jan 22 20:10 UTC] No.30105736[source]
No, I'd expect it does include TOTP. Read it as "discontinue support for protocols that supply one-time codes". A TOTP app would fall under that description.

TOTP apps are certainly better than getting codes via SMS, but they're still susceptible to phishing. The normal attack there is that the attacker (who has already figured out your password) signs into your bank account, gets the MFA prompt, and then sends an SMS to the victim, saying something like "Hello, this is a security check from Your Super Secure Bank. Please respond with the current code from your Authenticator app." Then they get the code and enter it on their side, and are logged into your bank account. Sure, many people will not fall for this, but some people will, and that minority still makes this attack worthwhile.

A hardware security token isn't vulnerable to this sort of attack.

replies(3): >>30105850 #>>30106024 #>>30123461 #
Godel_unicode ◴[27 Jan 22 20:18 UTC] No.30105850[source]
All of this is really government we-don't-pick-winners speak for yubikeys.
replies(3): >>30106031 #>>30106640 #>>30107124 #
sodality2 ◴[27 Jan 22 21:03 UTC] No.30106640[source]
My OpenSK chip begs to differ. https://github.com/google/OpenSK
replies(1): >>30107660 #
1. Godel_unicode ◴[27 Jan 22 22:15 UTC] No.30107660{3}[source]
The disclaimer on the linked page agrees with me.

"This project is proof-of-concept and a research platform. It is NOT meant for a daily usage. The cryptography implementations are not resistent against side-channel attacks."

replies(1): >>30113646 #
2. tialaramex ◴[28 Jan 22 12:12 UTC] No.30113646[source]
There are a lot of other providers in this space, Yubico are the best known and probably one of the more competent offerings, but this is not a situation where the government is picking a winner by picking a standard.

A bunch of situations aren't going to end up with a separate physical authenticator anyway, they'll do WebAuthn, which in principle could be a Yubico Security Key or any of a dozen competitor products - but actually it's the contractor's iPhone, which can do the exact same trick. Or maybe it's a Pixel, or whatever the high-end Samsung phone is today.

That's what standardisation gets us. If CoolPhone Co. build a phone that actually uses a retina scan to unlock, they can do WebAuthn and deliver that security to your systems without you even touching your software. And yes, in the Hollywood movie version the tricky part is the synthetic eyeball so as to trick the retina scanner, but in the real world the problem is after you steal the ambassador's CoolPhone she can't play Wordle and she reports the problem to IT before you can conduct your break-in, synthetic eyeball or not.

replies(1): >>30119524 #
3. Godel_unicode ◴[28 Jan 22 19:55 UTC] No.30119524[source]
There are not a lot of providers on the FIPS list though. Coupled with the fact that virtually all government employees use Windows computers, and you end up right back where we started. The only real competition is Windows hello.

The various auth apps are problematic because they usually come with some kind of requirement for intune or similar to do remote attestation. That's a weird place for the government to be with contractors, since a lot of those contacts don't have language requiring that contractors have a phone at all, much less that they allow the federal government to MDM it.

It could be providers other than yubico, but it won't be.