Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: ISC Two Factor Authentication Update - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Two Factor Authentication Update

For quite a while now, we provide the option to use a time-based one-time password as a second factor to authenticate to your ISC account. The implementation we picked was RFC 6238 as it is also implemented by Google's popular "Authenticator" app. But so far, we haven't had a good solution for the "lost authenticator" problem. It required an administrator to manually reset the particular account.

To help with password and authenticator resets in the future, we are now also supporting SMS and Voice Call based authentication. To enable this feature, you will need to provide one or more phone numbers that can be used to authenticate you. If you lost your authenticator app (e.g. if you get a new phone), or if you need to reset your password, this number is used to authenticate you.

This *should* work with phone numbers globally, not just US numbers. But of course, we can only test a couple of countries. Please let us know if you run into any problems.

At this point, I don't think it makes sense to make two-factor authentication mandatory for our site. Many users do not have any personal information stored with us. But I think it does make sense to provide the option and allow users to decide if they feel it is necessary or not.

To configure your phone number, see http://isc.sans.edu/pwresetinfo.html (you will have to log in first of course)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Johannes

2930 Posts
ISC Handler
With regards to the "lost authenticator" problem, I would like to recommend Authy.
Supports Google Authenticator and your data is saved in the cloud. They support Android, iOS and a Google Chrome plugin for desktop environments.

I am using it for my Google, Microsoft and other apps accounts that uses RFC 6238.
No, not an Authy employee. Just a happy user. :-)
Mike7

42 Posts Posts
My personal choice of form factor for a 2nd factor of authentication is one of the Yubikeys. They are supporting the FIDO alliance and support for that is built into Google Chrome, and Windows Edge has pledged support also. It seems that Mozilla is dragging their feet because they don't seem to have a good answer on USB in the browser and want a solution that also works for their Firefox OS platform. The original Yubikey just looks like a USB keyboard, so it is compatible with everything, but doesn't seem to be well supported. Luckily, it is supported by LastPass which is most important to me (despite my deep concerns over it's recent sale.)
Anonymous

Posts
Support for FIDO is certainly on the roadmap. I am waiting for better support for mobile devices. As far as Authy goes: Have to look into it more, but I don't think they were around when we started to implement two-factor so have to see how hard it is to convert. I don't want to support multiple systems due to the overhead involved, and the current one can be used pretty much with any RFC 6238 compliant software (we do not just show the QR code for easy integration with Google Authenticator, but also the secrets in base64/base32 as other tokens like it).

Our site isn't probably a great example, as it isn't a site most user would consider "critical" or "sensitive". But there are only a handful of users that take advantage of the two-factor option.
Johannes

2930 Posts Posts
ISC Handler
I just looked at Authy, and it works fine with our site. You can use it as an authenticator just like Google's app, and they can do the phone part for you (sms/voice). I am a bit concerned about the privacy part. Have to look closer at them to see if they know when you log in and into what sites you log in (they do know who you have an account with). Google's authenticator is all on the client and doesn't need to talk to google.
Johannes

2930 Posts Posts
ISC Handler
I'm also using Authy with many websites amongst isc.sans.edu! Bonus, it also has an Apple watch version. Very convenient to have all my tokens at my wrist!
Xme

276 Posts Posts
ISC Handler
The cloud connectivity is for storing accounts backup in encrypted form. They may not even know what accounts you have (see last few questions at https://www.authy.com/faq/). You can use the app with internet connectivity (Wifi, mobile) turned off. Privacy policy is at https://www.authy.com/privacy-statements/

Continue with RFC 6238. We are just using Authy app as a "better" google authenticator app.


Authy do have other features and is a lot more than just a google authenticator clone. FWIW, CloudFlare is using Authy's 2-FA.
Mike7

42 Posts Posts
Can you offer this for Sans.org accounts as well.

Having two accounts for this site and the Education stuff is a pain.
BLACKFLAG

2 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!