Safe 2FA/MFA Brainstorming, Key Management and Self Authentication

All computers a typical user will touch are compromised or will be compromised in the future, its just a matter of how much.

The 2FA/MFA with OTP (one time passwords) can protect against compromised credentials and keyloggers but not screen scrapers or rootkits on the client device.

The problem with this is that the answers to any common set of personal questions one might ask are already public domain. To make it work he user would need to tell a secret to Safe that they have never told anywhere else and can’t be deduced from other personal info. This will be challenging. Seems a heck of a lot easier to educate users that they need to print multiple paper hard copies of their login credentials and store them in secure locations.

The “something you are” is a problem. Biometrics are dangerous. The last thing you want is to have your hand be the thing that opens up a $10M Safe account. The xcd comic you shared would involve an axe instead of a wrench at that point.

I would propose a slight modification to the triad:

1. Something you know. (ex. I know which lock is mine…)
2. Something you have. (ex. I have the correct key for my lock… )
3. Something you can do. (ex. I can rotate the key 3 times clockwise and 2 times counter-clockwise to unlock my safe today…)

An example of “something you can do” might be to use what you have, and what you know, to give an OTP in response to a challenge question/riddle/puzzle.

Can Do is also susceptible to a rubber-hose attack in just the same way.

Except I guess it could be attacked remotely via extortion as well. “Tell us how many times to twist the key or we’ll tell your granny!” The example you give isn’t really much different from something you know.

The main thing is here, that with Safe not having any public identifier element to credentials (e.g. email address or username) remote or bulk targeting is almost eliminated.

If someone wants to target you specifically, because you have some information they want, or they know you have some big stack of tokens they want to steal, then they can target you remotely with say a key logger etc.

Something you Have or Are or Can Do protect against that… at which point what is left is the extortion, rubber-hose or some other physical threat. So a lot of this comes down to personal privacy up front.

But they thing about second factors such as and Are/Have is that they are a good guard against less targeted attacks, malware, ransomware etc which are much more common, almost always remote, and low cost for the attacker. They can also be used to beef up security in this regard, while also increasing convenience, making it more likely that an individuals will have a generally stronger security package.

That’s why I’m suggesting perhaps we need a suit of options that people can used based on an individual’s threat model.

Side note, I think we should probably be encouraging everyone to have MFA to protect from a bulk/indiscriminate brute force. E.g. an attacker using a password list to try every combination of password/passphrase until they unlock something, and hoover up the tokens within.

A second factor protects against that, but it’s needs to be easy and convenient to get wide adoption. Biometrics built into phones are great option for this, as it’s just super easy. But there are other options as well.

Yes, there would be a cost to write to the network, which isn’t ideal. Perhaps you could only unlock if there were sufficient funds to lock again too?

How about this as an alternative solution, which would use a random number instead of epoch (to avoid timing issues).

1. Have a primary account where your data lives.
2. Have a second account for authentication purposes only.
3. Store a shared secret in both accounts.
4. To generate a 2FA token, append a random number to the shared secret, then hash it to get generate token. Prefix random number to token with defined padding/size.
5. On login to primary account, the token would be split to retrieve random number then repeat the hashing process to confirm the hashes match.
6. The token is then appended to an expired tokens list to prevent re-use. If insufficient funds were available to expire the token, it would remain active, which would decrease security (via eves dropping).

From doing a bit of digging, this is essentially how common 2FA solutions work but the ‘random number’ is generated by the system clock, allowing them to expire automatically with time. However, if we are avoiding clocks, there isn’t a common self expiring value we can retrieve from independent devices (to my knowledge).

Ofc, we could rely on the clocks of the devices and then a tradition take on the above, implicitly using epoch time in place of the random number above. Is it desirable to depend on the system clock? If nodes don’t sync their clocks (with no clear net access, how could they?), drift could become an issue too.

It seems that we have a choice - to achieve OTP (without external/clear net access), we either need to rely on a common/external counter (e.g. epoch time) or we must write some data to manually invalidate ‘used’ OTPs. Is there a third way?

EDIT: a common/external counter could also be some sort of oracle on safe network. Is there a public data item that will periodically change that we can reliably query? Something internal to do with aging/splitting, perhaps? It need not be time or even a sequence, necessarily. It would be great to use something like that, which would not need to be maintained/updated by some app.

But you’re still locked out regardless.

True - maybe that is the cost of security?

The triad analogy isn’t perfect. Something you know and something you are/do essentially boil down to something you have. The human mind will need assistance, so all three items will eventually get written down on paper analogous to a btc cold wallet.

No, it’s not.

Can you elaborate?

In my opinion a strict 2FA will not be suitable for Safe since Safe is supposed to allow a person access to the network if all they have is Internet Cafe computer. Reasons why people may not have a 2FA device with them are numerous. On holidays and everything stolen and you need to get access to the network to get access to funds.

2FA is not really secure to someone who wants access and has access to all your personal answers (even the ones you mess up deliberately). WHY? Because virtually every 2FA for a commercial site or typical site has the option for the user to contact the site support and reset their account. 2FA bypassed by answering questions. Your bank, your shopping site, your financial institution, your favourite forum site (including this one). It is actually very limited where you cannot bypass 2FA by not answering questions (&/or provide documentation) to the site’s support people.

I suggest that we need to work out a new standard for how we handle the additional step to access our Safe Account to ensure its secure. No one can guarantee that their 2FA device will be available.

I am not suggesting simple answering questions is suitable, but we need some sort of 2FA that is not reliant on an actual device.

For instance maybe something like a rolling code application that if you have a browser then you have access, all you need to remember is the seed and maybe the computer date can be used to tell Safe & the browser APP where in the sequence it is.

I think there will be different options, so any of the approaches discussed might be suitable.

Based on different modes of access with different trade offs between convenience and security we could allow different privileges based on the means used to authenticate.

I think a privilege level approach has some advantages, both in terms of ensuring access to lower grade information easily, and in cases where access is coerced allowing compliance without giving up everything. I imagine there are other use cases for this approach.

If so, we might need to consider this when designed the capabilities UI to make it easy to manage different grades of information across different types of information. For example, I might own several Safe IDs managing websites or services, but only want some visible if I use a less secure authentication method than a more secure one. cc @JimCollinson

I think this goes a bit beyond the initial account capabilities, but no harm in thinking ahead wrt UX if we think it is an important feature you add later.

In fact when the password and PIN was the method, it allowed multiple accounts by simply using a different PIN.

What you describe is what I would think as multiple login accounts and each account is a sub/super set of the others (or some other combination)

And to make it easy for the user there would needs be an APP that can access multiple accounts at once in order to set it up or modify things.

I wonder if 2FA might makes things worse for the average Joe by encouraging password/passphrase re-use. Will have a look to see if any studies have been done on this.

Edit: only found this so far -not a study: 2FA Kind of Sucks - Misunderstandings & Undesired Consequences - Password Bits

This looks like a straightforward solution to the problem of password reuse: Naked Security – Sophos News

IU had a particularly low password reuse rate thanks to its tough requirements, which leads the authors to the conclusion that:

Passphrase requirements such as a 15-character minimum length deter the vast majority of IU users (99.98 percent) from reusing passwords or passphrases on other sites.

Conversely, universities with lower requirements suffered password reuse rates of up to 40%, they wrote. And, of course:

Our recommendations are not only applicable for universities, but also can be used by other organizations, services or applications.

The discovery here seems to be that longer and more random passwords are harder to remember, which has the effect of making them harder to reuse.

Put another way, if every website had similarly demanding policies, reusing passwords might become too inconvenient to bother with.

I guess it’s SAFE to presume that the Safe UI will have something like this to ensure strong passwords/passphrases.

Only things that look like any sort of value get stolen. HW tokens can be made to look like everyday things with no value, pen or toothbrush for example. Or people can go Cyberpunk

Safe passwords are very hard to achieve and people are notoriously bad at it. According to Microsoft if you take the publickly leaked password databases it is around 500M passwords and with that you are able to break >70% of user passwords.

Face/Touch id is great when the highest security levels are not needed. In my mobile banking app I can login using only face or touch I’d and I can transfer money between my own accounts. If I need to transfer money to someone else I need to use 2FA to confirm.

Multiple security levels like this makes it more convenient to use, without much risk, as the consequences of a breach of the low level are low. If you want to browse the SAFE Network on your phone, then it would be very nice to be able to login and do basic things with only biometrics, having a wallet with some small amount of safe network tokens to post comments etc. Then accessing all your data might for example require a higher security level.

Taking a step back, I wonder what the ratio of Bitcoins Lost is to Bitcoins Stolen? I’ve literally no idea but I read recently that 20% of Bitcoins are irrecoverably lost, and I’m willing to bet that’s many times more the Stolen figure. If so then the biggest risk factor with password unrecoverable systems is definitely the user himself, and security for the average Joe and his average data must be made as foolproof as possible. No point in implementing Fort Knox style security if the most likely scenario is you’re going to lose your key. If you need more security then this should be optional, but at an app or service level.

100% agree with that. There is a risk both ways. Assessing which fits you best is a tricky and personal decision.

Still does not change the point. The point was not that particular circumstance. It could be as simple as losing ones keys/phone/etc at the beach while swimming and need to contact others via Safe. Doesn’t matter if person careless or not.

BUT there are thousands of other circumstance where one will need to use the Safe Network but not have access to their 2FA whether its a cool device or some cloaked thing.

The point is we also want it to be used by those whistle blowers who maybe in hiding and have no ability to grab their belongings and thus no 2FA.

That is why we need to do more than cry about how passwords and other things won’t work BUT come up with something that will work with Safe. Thus my idea of one method being maybe a rolling code (A real 2FA) built into the browser and all the person needs is their seed to prime it. Then they can obtain their 2FA code for Safe without requiring a separate device to do it.

Is that the best way? Dunno but maybe people can brain storm something better from that or show how its not good enough.

I always have trouble with these since accident can end up locking you out forever. Car accident for instance can leave ones face never matching previous facial recognition again. Similar for hand or finger.

Need to be specific on how they are stolen. If scammed by getting people to send it then I doubt it should be included in your stolen. Nor keyloggers/malware that waits for a wallet to be opened and then transfers funds in the background.

It seems you are meaning somehow getting the password to wallet etc. That would be a much smaller subset of what people consider stolen bitcoin.

Again a smart keylogger/malware can break 2FA because all device type 2FA has a window where the person enters the 2FA code. It can quickly log into the account on another PC by transmitting the password and 2FA code to second PC across the world within a second which is way under any window.

The way to beat that is the code cannot be used twice. Interestingly the printed pin codes can beat it since the code can only be used once.

And traditional 2FA for say financial sites can be bypassed by answering the questions the support staff ask. To me that 2FA is only as good as the questions.

What I think is essential is informing the user that the password is not secure when they enter insecure passwords giving them a chance to improve their password.

For me we need a 2nd authorising mechanism unlike a 2FA device but well suited for Safe and the user can choose to enable it if they want.

This would only be to make it convenient to login on mobile, so there would need to be an alternative for desktop in any case. That alternative could be used if biometrics are no longer working.

Is 2FA actually ‘key management’ (wikipedia)?

You want to read something private, you need a key to decrypt.

You want to change something, you need a key to sign.

Seems to me that 2FA is ‘just’ fancy wrapping around key management.

Haven’t seen the phrase ‘key management’ used in this topic so wanted to put it here in case it helps. Maybe it’s not a helpful angle to take?