Thursday, 8 December 2016

2FA on A&A control pages

I think we have 2FA sorted nicely on our accounts pages for A&A.

We have taken on board some constructive comments, and done things like "you can't set paranoid mode until you have confirmed that the app has been installed and used a code", and also not showing the QR code or seed again, once installed.

The trick to both of these was to use a different seed for codes sent by SMS than codes from the authenticator - that way we can tell if the authenticator has in fact been used and not just an SMS'd code. Obviously we did have to allow for the remote chance of code matching both seeds and ask for a new code in such cases.

I event made a video showing how to set it up!



The next step is 2FA on our control pages. But first it is worth explaining - yes, I know that really what you should do is identify a specific living individual in some way, and separately have associations of accounts or logins that they are allowed to access in various ways. The system we have does not do that, I know - we have the accounts logins and the control pages logins. The system we have also has a complex set of linkages such as dealer logins on control pages, and, of course, staff logins. Changing to a "single sign on" is a good idea, but a big step we'll tackle another day.

The plan is to use the same library and tools, and almost identical set up processes, as the accounts 2FA system. Indeed, some of the pages/scripts will simply be copied and amended for the different database structures in use on the control pages.

There is, however, one extra trick we can do, and it will be an extra button. As we have the "seed" for the 2FA on the accounts, we can simply have an option to "Copy 2FA from account" for an associated control pages login - why not? Obviously we will ask for password and a new code at the time to confirm you have the authenticator, and there is no reason to show a QR code when doing this. But this would reduce the number of authenticator entries you need installed and will be ideal for cases where it is one person handling accounts and technical issues - like most of our home customers.

This would just be an option though - customers can have separate control for accounts and technical, and have separate people and hence separate authenticators for the control pages if they want.

I hope that sounds sensible. However, I do plan to "let the dust settle" a bit, and see how the accounts 2FA works out before working on the 2FA on the control pages. Feedback welcome, as always.


17 comments:

  1. Might I recommend suggesting the app Authy as an alternative to google authenticator? It makes swapping devices (one of the biggest pains of 2FA) a lot less painful.

    ReplyDelete
  2. Any plans to look at U2F support once the TOTP system is bedded in ?

    ReplyDelete
    Replies
    1. I'd like this too. I don't have a mobile telephone, but I do have a YubiYey 4.

      Delete
  3. I set it up a couple of days ago and the process worked well. I don't know if you have changed it since, but I thought that the first page could do with a bit more explanation of the setup steps as at first I thought that it was only setting up SMS 2FA.

    I am using Yubico Authenticator with a Yubikey, which means that the credentials are stored on the Yubikey rather than the device with the Authenticator app. I have a copy on a backup Yubikey, just in case!

    ReplyDelete
  4. Thank you Mr Kennard :). Extra security where finances are concerned is always appreciated.

    Looking forward to 2FA being implemented on the control pages as well.

    ReplyDelete
  5. One piece of feedback - the setup SMSs have the code at the end. Others have it at the beginning e.g. "123465 is your AAISP authentication code". This makes it visible in notifications on my phone's lock screen or my watch - perhaps less secure, but means I can read it in without having to open the SMS app, so more convenient.

    ReplyDelete
    Replies
    1. Yes, we did it deliberately to avoid showing on lock screen!

      Delete
    2. Fair enough, I suppose it is meant to be a security feature :)

      Delete
  6. Each time I logged into accounts with a VPN connection, both yesterday and again today, I got an email from the system informing "You have logged in from new browser", quoting the VPN IP address and asking me to contact accounts if it wasn't me (it was). Is this because of the new 2FA changes as I don't recall it happening in the past? I can't use the 2FA anyway because I don't have or need a smart phone or any similar mobile device.

    ReplyDelete
    Replies
    1. This is new and should be once per device (assuming device holds the cookie). It is just an additional security measure.

      Delete
  7. This is how I find out priceless has my phone number from 3 houses ago and a mobile number so old I don't even recognise it any more :p

    It's odd that it doesn't sync with clueless, which is up to date.

    ReplyDelete
    Replies
    1. It was (supposed to be) a comment on how useful a system is which sends the seed to an out-of-date mobile phone number (which might now be owned by Harry the Hacker).

      However having hit the "Set up 2FA" button on priceless, it clearly shows which number it intends to send the SMS to - so my comment is wrong. Sorry.

      Delete
    2. Also, I have made it possible to set without SMS.

      Delete
  8. Regarding showing the seed only once, it's if possible to show it again after reauthenticating? For my work RSA key, I have several devices that I use regularly and have imported the same seed into all of them, admittedly by keeping a secure note if the seed url.

    ReplyDelete
    Replies
    1. Technically, one can show the seed again, even if encrypted (if you enter password) but I suspect it is not a very good idea generally to do that. We originally showed the QR/seed on the accounts system once authenticated, but several people commented that they felt that was not a good idea. Obviously, we are, at that one time, showing the seed and you could copy/paste it if you wanted to and have a secure way to store it.

      Delete