2FA, A False Sense of Security?

Following the announcement for Omega Market and seeing their implementation for logging in it got me thinking. How much security does PGP 2fa really provide? I'll start with this definition on wikipedia.

Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).[1][2]

Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication.

A good example from everyday life is the withdrawing of money from a cash machine; only the correct combination of a bank card (something that the user possesses) and a PIN (personal identification number, something that the user knows) allows the transaction to be carried out.

Typical 2 factor authentication employs two pieces of info, in our case it's the password (something you know) and the PGP key (something you know) but these two pieces of info or being inputted into the same area, meaning a savvy phisher will be able to gather both pieces of info in one go. Their login will be limited to this one instance as logging out will require a code again and disabling 2fa typically requires another encrypted code, auto log out can be mitigated by performing an action on the site every so often and this could be automated by a bot.

So what does 2fa protect us from? Less savvy phishers who don't fetch the pgp code for one and people who reuse passwords across sites, which as we all know is stupid as fuck. Now if we reduce the login to just pgp authentication then we are still protected from the same things as our regular 2fa has offers so in all reality, pgp authentication is the only thing that protects us from shitty phishers and is the only login method we really need when assuming the user is competent. Now there's a possibility it can also protect you from physical intrusion in the form of LE of another malicious actor but that's only if your PGP password is separate from your market password, this is a good example of having a few easy to remember but hard to guess passwords only your head to prevent this from happening.

I feel like their is this image around here that having 2fa protects you from phishers which couldn't be more true. You are the only person who can protect you from phishers and it starts with good links and cross site verification/authentication. Having 2fa only protects you from shitty phishers and your own incompetence which could be true for many around here. IN the

Is their a better way to employ 2fa? I'm no security expert but here's one I've thought of.

The encrypted message contains a code and a onion url, that page contains a secret phrase the user would've set up previously, this page contains a a direct link to the site and upon entering the code would complete the login and redirect to the site. Even if the user was previously on a phishing site, the new url (that the phisher can't see due to encryption) and secret phrase (that only the legit site would know) would completely reroute them around the phisher.

This incorporates something you know (your username), something you have (your pgp) and then something you know again (the secret phrase) but only after you've proven that you own the pgp key. I have no comments on how viable this is as I don't run hidden services.

Thoughts?


Comments


[7 Points] The_OPs_Mommy:

Yeah that is pretty much the most secure way.

The issue with people trying to prevent phishing is that past a certain point it's almost a fool's errand.

The particular login methods being discussed aren't really to "prevent phishing" per se. But rather to allow the serious buyers and vendors to be able to verify the authenticity and integrity of the site on which they're conducting business on.

The thing to remember is that these methods can almost always be defeated and circumvented depending on a dumb enough user and a clever enough attacker.


[2 Points] gangsterdam020:

DNP!


[2 Points] murderfluffybunnies:

At what point is the onus on the buyer to not be a dummy? IMO 2fa is fine as long as you are paying attention. Save your links, only use new ones that have been signed by the market, and poke around the new mirror immediately emptying into escrow.


[1 Points] CommaCazes:

Having the encrypted message be a link with a special authorization token is a decent idea.


[1 Points] BarryHash:

I have never heard of a phishing site simultaneously inputting the username and password as entered on the phishing site onto the legit market in order to generate an encrypted message which they then relay to the user to decrypt. I mean it's possible but it ain't happening.

You saying you need to enter a secret code to login that only the user knows, so you need to enter a code to login, which is what a password is, so why would having to enter two be any securer than having to enter one, the phishing would just ask for the username, password and code.


[1 Points] locofloco:

Using a Yubikey auth implementation would be a great solution for improving security.


[1 Points] TheTrixsta:

We should introduce SecureTokens for an extra layer of security.


[1 Points] alfabi:

Theory: Phisher could scrape/copy common buyers username's and public PGP on legit market site and make phishing site with this data and where user enter username and password and phishing site will allow pass 1st step access regardless of in/correct password to the next 2FA step, phishing site will encrypt some code with that username public PGP scraped before and user would be able to decrypt (because its his pgp key) and access phishing site. Phishers could aquire this data (username's and public PGP) by other means too.
That is why PGP keys from common buyers accounts should not be visible from anybody or on site display name should be different then login username.