Keep your accounts safe!

This is still incorrect.

MFA is a concept in the security world that you were partially correct on:

MFA is the term coined to enact these principles of what a key should be. Passkeys are a FIDO2 credential that is built ontop of that concept.

Passkeys take the crypto auth (usb key/fingerprint/faceid) the private key is decrypted for one time use to sign a challenge which is used to authenticate you.

Besides that component there are multiple parts of the passkey procedure that are supposed to account for the factors.

Something you have: This is always present in passkeys because it’s the private key. A core part of this is to ensure someone else can’t use it without your knowledge (in a malware setting) is passkeys require something called “intentionality” (You must intend to authenticate) This is why usb keys require tap/button press.

Something you are: Faceid/fingerprint work similarly to usb keys. To “unlock” the private key you have to perform your intentionality. For this factor a biometric must be presented.

Something you know: Most of the time this is a 2 digit number presented to you that you have to enter before presenting a biometric. Often referred to as push notification authentication. This is one of the newest forms of factors.

Passkeys in their RFC implementation: Design Guidelines | Passkey Central
Account for 2 or more of the factors and encapsulate MFA.

A very important technical detail I always cover when I educate corporations on why passkey adoption is important is reverse proxy phishing

RPP will make you authenticate your MFA. All factors and intentionality will be bypassed and a session token will be given to an attacker. I have demo’d this attack to people, I know how it works in detail.

In the case of passkeys the URL is part of the crypto chain. You Cant authenticate to a phishing page with a passkey. It’s technologically impossible. The power of passkeys come from MFA + intentionality + cryptography
All three of those make passkeys THE most secure way to authenticate.

This is actualy 2 layers in MFA, its the something you have (the usb device), and there is the ‘random’ factor, in which your button press can only authenticate a very specific action (cryptographicly ciphered).

The something you are vector that you mentioned is actualy identical to a password in how safe it is and what it handles. Which is why it generaly just replaces it (because lets be honest, most people are bad at managing passwords). But it has 2 significant weaknesses: it can (un)intentionaly be recorded, and it cannot be changed.

While it generaly generates a longer ‘password’, its still just the same. It can be spoofed once known, and is on that permanent. Visit the USA once, and they have your biometric password.
So password and biometrics are still just a single factor. Biometrics with governments recording fingerprints is actualy a security hazard as it gives a sense of false security.

‘Something you are’ is for that reason outdated and replaced in what is deemed ideal.

And thats why i said identifies the action. Its a bit more vague, but it involves the step of doing something explicit that only you can do, because the action is only presented to you, and ciphered. You can verify it in many ways (depends on what security level they demand). But this does include: biometrics (a fingerprint check requires a manual action), metadata (where you are, and if the time matches with some other known patterns), or even just reading on a screen what action is about to be taken before pressing a very simple button.

And this is still deemed unsufficient as for example google knows too much about you, so they could potentialy guess at other platforms what the answers are here.
This is where the old password (which can be time seeded!) can still make things harder. This is why you still often get those codes sent to you as step.

But this only proves how difficult security truly is. And for now its a balance between security and convenience, which decides the optimal method.

That is correct. Multiple factors are often coupled together in the process to make things easier for the user. (But note intentionality is not a factor)

This is why it’s not really used in that fashion. Biometrics are typically used like a TPM trigger on a computer (that is actually the case with windows hello)

This isn’t true. The biometric itself is not typically a key for access, it’s a key that unlocks the actual key for one time use. The biometric is almost always an intentionality marker. It fulfils the factor because it is something you are, but the technical parameters are not very secure.

It’s akin to using a pin on a USB key. Same crypto exchange.

An action and a biometric are not the same, one of those is a key + intentionality, the other is just intentionality (which is not a factor)

That is true. Billions and Billions of dollars have been spent on the fido alliance to build better and better authentication schemes.

Its the same to how bank apps handle the verification for a transaction. Instead of a pincode they ask for the fingerprint. This covers the ‘something you do’ action.

The problem there is ofcourse still the ‘you’ part. As that portion is vulnerable, but on that, the setting up for that usualy involves several steps (you need your bank card, a specific authenticator device, and probably even a matching phone number to receive a verification code). It still only generates a password, but one that is very hard to crack if you dont have device access.
But as it only asks it upon executing a transaction, and involving a strict hardware check, it usualy handles the ‘do’ part. Thats why its built like this.

(its interesting material to read nonetheless)

Biometrics are a convenience part for a password, because no one wants to type in hundreds of characters as password every time. And in most cases secure enough, because its only possible to use it on your device (the something you have part).

Being able to solve this ‘is it realy you’ part, means you solved security. And so far it seems to be impossible to ever have a solution here.

Math is currently one being at risk (quantum computing), and physics do not allow scans at such level that it scans enough levels that makes copying impossible (sure, a frankenstein copy of your body might be impossible now, but it in theory being possible is enough to state its not solved for security).
Even if you would have a constant vision on the person, there is a risk it gets spoofed somehow (we dont know what light manipulation will be possible). But at least we know that several of these things are just not possible short term, where the guessed duration until its possible is guessed to be significantly longer than the human life span, making it unlikely this will be exploitable.

But yeah, even short term, there are a lot of dystopian things going on that can make this a problem.

This is the only part you keep missing. “Something you do” is not a factor. It’s proof of intentionality. It doesn’t need to be secure. When you use a biometric it makes intentionality and the “something you are” factor a 2 in 1 step for authentication.
The biometric is the key, presenting that biometric is the action of intentionality.

When accessing a bank typically you present your username (client id/card/username/etc.)
Then say “login”. Assuming you configured the best security on your account with your phone, They will do 1 of 2 paths:

1. Ask for fingerprint - This Accounts for intentionality and 1 factor, The biometric is actually unlocking a private key stored on device (the 2nd factor) that is used in a crypto signing challenge. This is a 2 factor auth.
2. Push notification - This is sending you an OTP of 2 digits you have to enter into the webpage. The numbers are 1 factor (something you know) once entered, you’re typically asked for a fingerprint which repeats the first path above. In total this accounts all three factors + intentionality and would be a 3 factor auth.

Both of these paths are a “passkey auth” or “passwordless auth”

I also just wanted to comment that this isn’t the end of encryption. Only some forms of encryption use prime numbers as keys (which is what quantum computing threatens via Shor’s algorithm) There are other forms like Lattice based encryption

There’s a lot of digital ink being split here about classifying MFA and FIDO. These two aren’t comparable, but fwiw, FIDO can enforce multiple factors, but it is not required to. There’s the FIDO Single Factor Mode, which only challenges one factor (password/FaceID/TouchID). Then there’s FIDO U2F, which can challenge based on multiple factors before the authenticator uses the private key. Even though FIDO single factor mode is just one factor, it is still better than having just a password because of the additional requirements for the authenticator (it needs to verify the requester, much like TLS, so no fake websites can request for the private key, it also requires the a test of user presence, using keys instead of passwords also allows for unique challenges instead of always comparing the hash of a password against your database.

This complexity in explaining passkeys more or less outlines my issues with the rollout. There’s way too many options and multiple vendors with no real way to coordinate across devices and vendors (i.e. vendor lock-in). The current best ‘fix’ to me looks like enroll many devices for each service, but I am very iffy about this; if any device does get compromised, then I have to rush to unenroll from all services. Then, all services do an absolute HORRENDOUS JOB explaining what a passkey is, and whether I have one already that I can use (this I hope will improve in the future).

Finally, something I have noticed in a few services is that they seem to push passkeys with a single factor rather than also suggest multiple factors. They seem to push the convenience benefit, and thus almost always contain this message of ‘you only need one thing now to login, and it’s not a password anymore to remember!’. This is crazy to me, because multiple factors are always better than a single factor.

Ask for fingerprint - This Accounts for intentionality and 1 factor, The biometric is actually unlocking a private key stored on device (the 2nd factor)

Fingerprint/faceID/entering pin on a registered device is not two factors, it is just one. Using one factor to enable another factor doesn’t create a new factor; otherwise we can simply have an automatic chain of factors to go up to any arbitrary number of factors. Testing the user’s actual presence is not typically seen as a (separate) verification of the user and is only confirmed by the specific OS; for example, in Windows, you can normally enter the pin/password programmatically, but the specific implementation of passkeys only allows specific, trusted input sources (e.g. a keyboard or non-virtual camera) to enter the password. But the authenticator app has to trust the OS to provide a sane implementation; it by itself can’t verify the authenticity of TUP. Similarly, the implementation of the USB key should be sane (for a naive example, it should not constantly keep sending the signal for the button being pressed).

Originally, the MFA idea is to separate the info used to authenticate; passwords in your brain/token in your device. I don’t think it’s a good idea to combine these multiple factors in a single device, but it seems to be what the language surrounding passkeys continue to suggest. This is not the case in the RFC, but who reads RFCs?

Math is currently one being at risk (quantum computing)

Only people scared of the NSA are worried about this kind of thing. If you are being monitored by the NSA, I would worry about far greater things. Quantum computing is assuredly not the first issue here and won’t be for a long time. If it does come, we will just move to a NP-Complete based problem.

Its not about the NSA listening in. There is already a huge chance even without quantum computers that they can, because the most used encryption acros the internet was designed by them. And they can already crack these. That it now takes them 2 months to crack something, and it gets reduced to 2 days is barely going to matter. Its just going to expand the scope of people they want to track. Most people remain unaffected.

The problem is that financial systems are going to take such huge hit, nothing can be trusted here anymore. If they can read and alter your transaction, while the hash remains valid. What can be done to trust anything? This is what most are worried about, quantum computing can break the trust chain on the internet.

The only way this can be prevented, is if we manage to develop a quantum chip for normal pcs. They dont need to be powerful, they only need to implement a system that cannot be broken by quantum computers in a short time. If it still takes a month to crack, it limits the amount governments can crack and therefor use. Its about making this stuff as expensive as possible for governments. As the more expensive, the more targeted they will have to work, and therefor most people are avoided in these problems.

This is not what I said. The fingerprint/faceID/entering a pin is 1 factor like you said.
The key itself that is unlocked for signing, is the second factor (Something I have)

Factors are not “different avenues” They’re components of “I am who I say I am”
ie:

• Something you have
• Something you know
• Something you are

You can combine these together to account for more than 1 factor. ie: Something you are, being used to unlock something you have.
As long as all factors are barriers to authentication this is an acceptable strong auth.
If it is not possible to authenticate without all factors being used that is MFA.

The reason MFA is not about the separation is because it doesn’t matter how much separation there is. Someone can Man In The Middle your communications if the endpoint is compromised.

The goal is to make stealing the required barriers difficult. which is why MFA is about factors, not separation. MFA isn’t for the user. It’s to stop attackers. The convenience is in the design. I’m supposed to have all the factors, attackers are not. and even when they steal one, they won’t have the others. If my phone were compromised, they would need to still steal my fingerprint.

I used to have this misconception of the factors. Someone smarter than me explained exactly what I’m saying now.

MFA is not for the user, it’s for the attakers.

This is not true. Most encryption was designed by Rivest–Shamir–Adleman
Three mathematicians/computer scientists who built RSA Encryption did.
Other forms of assymetric/symmetric encryption are built by other math/computer scientists. but RSA is one of the most used.

The NSA is not one to scoff at though. They built XKeyscore long before palantir came into the picture. This is why encryption is important. XKeyscore monitors a lot, so does palantir, they compromise as many endpoints as they can to gather unencrypted information.

The worry about quantum computing is about store now, decrypt later.

I was thinking of AES, which is what most LANs use. But even there, it seems they didnt entirely make it either, but just massively invested into it (and at some parts improved it, as they very quickly also discovered where it was vulnerable).

But RSA being #1 would also make sense as most websites rely on it, and is actualy possible to be measured as websites are public, where LANs are not. And RSA is on that the more important one regardless. Most LANs do not risk hacking.

I don’t think it is a second factor, because an attacker that has access to the fingerprint/faceid/pin gets access to the key that is unlocked by these. It’s like encrypting a txt file containing the password with another password; that doesn’t make the set up more secure. The thing that can make it more secure is, provide a key, provide a second key separately not tied to the first key. Then these become two separate factors. For the same reason, ssh keys encrypted with a passphrase is not considered as two factors.

The likelihood that an attacker would have:

• Physical access to your USB key
• The ability to replicate your fingerprint

Is highly unlikely (I typically advise people not use faceid for the glaring security issues related to it.)

I said it before, the factors are not about separation. But about components of proof you are who you are claiming to be.

Alright, I suppose that’s fair. I will defer to your judgement, since you are the expert here

Not a fan of the 2FA requirements. I’d get it if it were enforced specifically before you are allowed to share links or upload anything, but it makes very little sense to require it for casual users who only download. It’s an annoyance to have to use for an account that is (for the most part) entirely throw away and contains nothing of value and presents no meaningful benefit to attackers compared to just making a fresh account.

Everyone says this but many people don’t use accounts like this. Your perspective is not the only one.

Also you fail to recognize the value in having an account you can impersonate that may have some level of trust in the community.

There’s always value somewhere if you look for it. Everwhere should have strong security.

Everyone says it and for some people, it legitimately applies. If you want to make it so accounts cannot post, make comments, whatever, without 2FA, that’s more reasonable. Hell, if you just make it so people don’t have to be logged in to use the site at a basic level, that also works. Hell, require it to give people a “trusted” badge or something.

There are a million other ways to go about this that are far less disruptive and frankly intrusive than force requiring 2FA for everyone. If you’re worried about people becoming attack vectors, require it for people that can be attack vectors. Otherwise it really just seems like you have strong feelings about “security” that you are using as an excuse to enforce it on everyone, whether it actually makes a difference or not. I don’t “fail to recognize the value of having an account you can impersonate that may have some trust”. I fully recognize that as a vector. What I don’t agree with is that everyone falls into that category. Very few people fall into that category, but you seem to be blanket enforcing 2FA for everyone anyways. I have zero level of trust in the community and do not seek any out. There’s no reason I should be forced to use 2FA just because other people do have trust. Require them to have it, not me and people like me.

I am considering whether or not to keep using the site, because I like to keep shit like this entirely isolated and not tied to anything personal. I also don’t want to have to go dig up a local 2fa repository every time I log in just to download things. I don’t want anything related to this on my phone or easily accessible on my computer. At some point it becomes annoying enough to just not bother, especially when most of my login sessions last less than 10 minutes before I log off.

If everyone says it, there’s probably some truth to it. Our perspective isn’t the only one, but that doesn’t make it matter less. There are more surgical ways to do this that are exactly as effective as what you’re attempting and far less annoying/damaging to everyone else’s experience. Also, no, not everywhere needs strong security. Places with things of value need strong security. You’re not putting barbed wire around your shrubs because they don’t need the security. You put barbed wire around a military base because security there matters.

It seems like you’re having a knee jerk reaction to a security breach and not spending the necessary time to consider that the reaction you’re having will likely make the platform worse for most users to the benefit of few users.

That was a lot of things said that I have already responded to.

Tell you what give me a good reason why I shouldn’t require it. Just note you already lost.

That exactly what I’m doing.

Just note you already lost.

The fact that you view it this way is a problem. You’re not winning if you’re losing users because you decide to bullheadedly push forward with a change that alienates them.

That exactly what I’m doing

No you’re not. You’re requiring it for everyone. You could easily do what other similar sites have done and give people “trusted uploader” badges or whatever for having 2FA enabled. Not everyone can be an attack vector, especially if you actually bother to implement changes to prevent it.

Disallowing accounts without 2fa from posting links or uploading otherwise would solve the problem without creating the alienation that requiring it for everyone does.

If you want to argue “everyone” could be a vector, that’s just obviously a poor argument. By that logic, 2FA accomplishes nothing because “everyone”, including a bad actor, can just spin up a new account (or a hundred) that has 2FA enabled, get them to exactly the same level of trust people like me have in the community (which is basically none), and then upload malware.

Do you want to solve this problem? You solve it where it actually exists: uploaders. Forcing annoying changes on every user is just going to hurt the site more in the long run as people don’t like using it when it creates no meaningful benefit for them.

I use 2FA for every single important service in my life. This is absolutely not one of them and I don’t want something on my phone even remotely related to this site.

And to try to be very specifically direct to your earlier comment:

Tell you what give me a good reason why I shouldn’t require it [for everyone]

Because it creates a negative experience for users. That should be enough reason. There are justifications for requiring it for people who present a meaningful threat because they actually possess trust. Those who don’t possess it, don’t need 2FA. It’s that simple

Everyone can be an attack vector. There are other measures being used already to prevent bad actors from creating alts and doing this like users get flagged to us when multiple users share an IP. I have mass deleted users before for having clear alt-behavior.

In fact, MFA makes making alts harder. There’s a much larger friction to tracking all the MFA’s for every alt. So MFA actually helps mitigate the threatmodel here.

Are you going to maintain that list? Even if you did, discourse doesn’t support that featureset. You can request that of the devs over at meta.discourse.org

You should be using 2FA everywhere importance of an account doesn’t matter. By leaving your account potentially open to phishing, credential stuffing, etc. you become an attack vector for the community, you can doxx your internal accounts info. It’s generally unsafe and it’s better to eliminate that vector.

This is unfortunately just a reason. Not a good one. There’s a lot of things that create negative experiences for users that are positive changes. You can’t please everyone. There’s always a calculation behind certain decisions. I have enough experience in the cyber industry to know I was being irresponsible for not enforcing this earlier.

Whether you like it or not, this enforcement makes the forum safer for everyone
The people yelling about privacy don’t understand how MFA works. Using MFA doesn’t compromise your privacy in the regular ways nor the “enhanced” private ways.
The nature of MFA is to be as private as possible by necessity (It’s literally a secrets management problem)

I’m not sorry for trying to keep everyone safe. I’ve even taken responsibility for other’s ignorance and made countless attempts to educate and calm people’s concerns.
I hosted a stream on discord to educate via QnA and 3 people showed up.
You’re a vocal minority and I’m still trying to help educate and you so you understand.

Both you and I will never truly understand the number of threats possible due to account hijacking. We’ve only started the threatmodeling process. My experience knows that there are many threatmodels that necessitate MFA everywhere.