Thursday, 15 December 2016

What we did in the end for A&A 2FA

The system is OATH/TOTP 6 digit 30 second authenticator codes, set up by QR code. We have TRNGs we use for seeds that are 320 bits long.

On the accounts system we have gone for some flexibility. Option to SMS codes instead, but configurable, and configurable trust level to decide when to ask for a code. It is also a seed we hold so staff can ask for a code to check you are who you say you are (a useful feature on phone, irc, web chart, etc).

On the control pages (and the internal staff A&A systems) we have gone for encrypted TOTP seed and no SMS option. The seed is binary data, XOR'd with a stretched Argon2 hash of the password and a seed set for that purpose (i.e. the seed also has a random seed for its encryption), so no way to check you have right answer other than doing the Argon2 hash and checking an authenticator code, so not a shortcut to crack the password hash.

This means that on control pages the password change needs old password if you have 2FA set up, and expects an authenticator code as well. Some staff can override, but they will also look at account settings as part of deciding you are you!

I think, overall, we are doing well. Hashed passwords and 2FA with encrypted 2FA seeds.

There is always more to do, and more security to add, but this is an ongoing process.

Customers can now set up 2FA on A&A accounts and control pages if they wish - have fun.

14 comments:

  1. How do you handle the inevitable loss of the 2FA device?

    I've lost count the number of times I've changed phone or reset it without removing 2FA from accounts beforehand :-)

    ReplyDelete
    Replies
    1. Comes down to policy and procedure with A&A staff

      Delete
    2. I use Authy. Keeps all my 2FA safe for me. Re login on new device with an SMS sent to your registered number.

      Delete
    3. So Authy knows your 2FA secrets. How much do you trust Authy not to reveal them (accidently or not) to the wrong person ?

      Delete
  2. Random note: if you find it works with the authenticator on one machine but not on another, check the other machine's clock before assuming that the authenticator is buggy and spending ages hunting for a bugfix. In my case, it had drifted by 35s forward... :/

    ReplyDelete
    Replies
    1. Your systems is meant to allow for some drift. We allow 5 minutes but don't allow code sequence to go backwards or be reused.

      Delete
    2. This is probably a double consequence of my testing on two devices in quick succession, one of which had a skewed clock, then :)

      (and the reuse prevention is of course why the reset period is as short as 30s, since every time you use a code, you can't re-authenticate again for on average half that long.)

      Delete
  3. Although I'll probably never be an AAISP customer (not planning to live in the UK) you should at least offer the option of using TOTP only (no SMS, maybe enforce backup codes too)

    Other than that, good work I must say.

    ReplyDelete
    Replies
    1. As I say, use of SMS is configurable. You can set up without SMS option.

      Delete
  4. Are you the first ISP to have 2FA for account and control page access?

    ReplyDelete
    Replies
    1. No idea. We have heard horror stories of such logins having passwords clearly visible to ISP staff (not even hashed) before.

      Delete
    2. I *think* Vodafone enforces 2FA (via SMS) for all online access to the one's account.

      Delete
    3. Office 365 does it, as does Azure, RIPE, Amazon, Dropbox, Facebook, and Google.
      That's the ones I've collected thus far... plus my work VPN one...

      Delete
  5. Fiddlesticks. So since I signed up for this, I killed my phone and at the time I was using an app that doesn't save your 2FA hash anywhere.

    So lesson to be learnt, use something like Authenticator Plus which allows you to sync between iPhone & Android using DropBox.

    Also I appear to have not opted to allow for SMS reset which seems like a error, so guess I'll be phoning up on monday to get that reset!

    ReplyDelete