I'm still a big fan of passwords. Long, hard to guess passwords. More than one password/phrase as a failsafe, in case I lose it.
I got my first iOS device 3 days ago as a gift, an iPad. During the excitement of the setup process, I was told to set up 2FA for my iCloud account, which I've never conscientiously used since I own no iOS devices. Now all my Apple ids, from my 2009 iMac to my macbook are tied to the darn 2FA and... my phone number.
Apparently 2FA for Apple ids cannot be rolled back! Now everytime I want to upgrade something in my Macbook I have to get an SMS code on my (vulnerable) phone to access my Apple account. This is a very unfortunate decision by Apple.
Like I said I'm a big fan of passwords. Just give me 2 or 3 passwords or passphrases (or secret patterns) as backup for my main password. Require them to be long and complex. Something that is inside my brain and only Leonardo di Caprio can steal. Not my dad's middle name or pet name or school teacher's name. I'm not a security expert, but I still feel that's the most secure way to protect an account.
Passwords don't work these days for sophisticated attacks. Phishing is too easy.
I repeat, they don't work. No 2FA means you'll experience many successful account takeover attacks on your customers. 2FA does not mean you won't, though.
Coinbase had a great talk about account takeover attacks on the recent DefCon. They receive some of the most sophisticated attacks, sometimes when attackers already have control of every other account that the target has. Email, Facebook, Apple Cloud - you name it, now they come for the coins, to cash out.
Phishing, as in entering your password into a field pwnd by a hacker, seems like the problem to solve: how can we avoid giving out our password to a rogue player?
There are simple and complex solutions out there, we should keep taking small steps in the direction of safer password authentication, like how browsers showing the users the certificate validity, or things requiring a secret, individualized secret question so that you know the the host is not phishing.
I agree passwords are far, far from ideal and that 2FA is probably just adding complexity for the hackers, hence making it appear to be a better option, but this is just for the time being. Phone-based 2FA is flawed at the root (of how SIM cards work), so we should keep working on improving password security [1] instead of throwing ourselves into the arms of a flawed phone 2FA.
U2F and it's successors like FIDO2 were specifically designed to prevent phishing.[0] Google claims that it has entirely eliminated phishing of their employees who have been issued U2F keys.[1]. The solutions to these problems are out available.
It's not clear to me how 2FA would help against a phishing attack. Is there something I'm missing?
My understanding is that 2FA helps protect against weak passwords and password leaks. That's it. If you give me your password via a phished site, then you'll also just as readily give me your 2FA code. Then I can log into your account and turn off 2FA, generate new login codes, or just keep the login session running indefinitely.
Maybe if you set up a site that looks like a login form phishing for the PW then immediately forwarding it to the target site, then do the same for a 2FA token you have a point.
But in any other case where the victim isn't in the loop, that 2FA protects them (hopefully). If you haven't been to target.com in a week, you're not going to click the pop-up on your phone to log in out of the blue (hopefully).
Ideally your 2FA methods are not as simple as just sending a code and having the user parrot it back though. There might be some cryptography going on that would make it even harder for the attacker to interfere.
> Now everytime I want to upgrade something in my Macbook I have to get an SMS code on my (vulnerable) phone to access my Apple account. This is a very unfortunate decision by Apple.
This sounds strange. I always get the 2FA authorization message and the code through a push notification from Apple that appears as a dialog on the device(s) used to authorize access from another device. SMS or voice call is used for the initial setup though. [1]
>Apparently 2FA for Apple ids cannot be rolled back!
Apple removed the option to turn off two-factor authentication on some Apple IDs created in iOS 10.3 or macOS 10.12.4 and later.
A couple of years ago, I forgot the question/passphrase sequence for two-step verification and subsequently got frozen out. I had initially set it as samephrase1..2..3 in an effort to refrain from supplying PII. In order to reset, I managed to opt-in to 2FA and then revert back to initial setup.
I would have continued to think of the above process as the norm, until I read your comment and followed the support link provided by the other commenter, which states that the 2FA process cannot be undone anymore! However, there seems to be a slightly convoluted alternative i.e. unlinking existing AppleID and attach a new one for iCloud only, thus keeping the (old) existing one for the App Store and other services.
If you have an Apple device logged in to the account then Apple uses its own push notification infrastructure instead of SMS. Apple calls it “Trusted Devices”:
Also, SMS is always in-addition to your password. If you forget your password and you don’t have a trusted device from which to reset it, then Apple uses a recovery procedure which requires more than just SMS for verification.
You can also enable a recovery key which will then prevent SMS from being used to reset your password. With a recovery key you need to either use a trusted device or the key to reset your password.
Which effectively reduces it back to 1-factor authentication. There's an adage somewhere that is probably worded better but which boils down to your security is only as good as your weakest link.
If you type in the same passwords every time that's already a possible security breach. Single use 2FA is good because it you need one separate code for each transaction.
SIMs and phones being vulnerable is different from 2FA not working.
I got my first iOS device 3 days ago as a gift, an iPad. During the excitement of the setup process, I was told to set up 2FA for my iCloud account, which I've never conscientiously used since I own no iOS devices. Now all my Apple ids, from my 2009 iMac to my macbook are tied to the darn 2FA and... my phone number.
Apparently 2FA for Apple ids cannot be rolled back! Now everytime I want to upgrade something in my Macbook I have to get an SMS code on my (vulnerable) phone to access my Apple account. This is a very unfortunate decision by Apple.
Like I said I'm a big fan of passwords. Just give me 2 or 3 passwords or passphrases (or secret patterns) as backup for my main password. Require them to be long and complex. Something that is inside my brain and only Leonardo di Caprio can steal. Not my dad's middle name or pet name or school teacher's name. I'm not a security expert, but I still feel that's the most secure way to protect an account.