Following the announcement for Omega Market and seeing their implementation for logging in it got me thinking. How much security does PGP 2fa really provide? I'll start with this definition on wikipedia.
Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).[1][2]
Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication.
A good example from everyday life is the withdrawing of money from a cash machine; only the correct combination of a bank card (something that the user possesses) and a PIN (personal identification number, something that the user knows) allows the transaction to be carried out.
Typical 2 factor authentication employs two pieces of info, in our case it's the password (something you know) and the PGP key (something you know) but these two pieces of info or being inputted into the same area, meaning a savvy phisher will be able to gather both pieces of info in one go. Their login will be limited to this one instance as logging out will require a code again and disabling 2fa typically requires another encrypted code, auto log out can be mitigated by performing an action on the site every so often and this could be automated by a bot.
So what does 2fa protect us from? Less savvy phishers who don't fetch the pgp code for one and people who reuse passwords across sites, which as we all know is stupid as fuck. Now if we reduce the login to just pgp authentication then we are still protected from the same things as our regular 2fa has offers so in all reality, pgp authentication is the only thing that protects us from shitty phishers and is the only login method we really need when assuming the user is competent. Now there's a possibility it can also protect you from physical intrusion in the form of LE of another malicious actor but that's only if your PGP password is separate from your market password, this is a good example of having a few easy to remember but hard to guess passwords only your head to prevent this from happening.
I feel like their is this image around here that having 2fa protects you from phishers which couldn't be more true. You are the only person who can protect you from phishers and it starts with good links and cross site verification/authentication. Having 2fa only protects you from shitty phishers and your own incompetence which could be true for many around here. IN the
Is their a better way to employ 2fa? I'm no security expert but here's one I've thought of.
The encrypted message contains a code and a onion url, that page contains a secret phrase the user would've set up previously, this page contains a a direct link to the site and upon entering the code would complete the login and redirect to the site. Even if the user was previously on a phishing site, the new url (that the phisher can't see due to encryption) and secret phrase (that only the legit site would know) would completely reroute them around the phisher.
This incorporates something you know (your username), something you have (your pgp) and then something you know again (the secret phrase) but only after you've proven that you own the pgp key. I have no comments on how viable this is as I don't run hidden services.
Thoughts?
Yeah that is pretty much the most secure way.
The issue with people trying to prevent phishing is that past a certain point it's almost a fool's errand.
The particular login methods being discussed aren't really to "prevent phishing" per se. But rather to allow the serious buyers and vendors to be able to verify the authenticity and integrity of the site on which they're conducting business on.
The thing to remember is that these methods can almost always be defeated and circumvented depending on a dumb enough user and a clever enough attacker.