The system is OATH/TOTP 6 digit 30 second authenticator codes, set up by QR code. We have TRNGs we use for seeds that are 320 bits long.
On the accounts system we have gone for some flexibility. Option to SMS codes instead, but configurable, and configurable trust level to decide when to ask for a code. It is also a seed we hold so staff can ask for a code to check you are who you say you are (a useful feature on phone, irc, web chart, etc).
On the control pages (and the internal staff A&A systems) we have gone for encrypted TOTP seed and no SMS option. The seed is binary data, XOR'd with a stretched Argon2 hash of the password and a seed set for that purpose (i.e. the seed also has a random seed for its encryption), so no way to check you have right answer other than doing the Argon2 hash and checking an authenticator code, so not a shortcut to crack the password hash.
This means that on control pages the password change needs old password if you have 2FA set up, and expects an authenticator code as well. Some staff can override, but they will also look at account settings as part of deciding you are you!
I think, overall, we are doing well. Hashed passwords and 2FA with encrypted 2FA seeds.
There is always more to do, and more security to add, but this is an ongoing process.
Customers can now set up 2FA on A&A accounts and control pages if they wish - have fun.
What we did in the end for A&A 2FA
Subscribe to: Post Comments (Atom)
Companies bad at banking
I was discussing with a colleague the other day how so many companies are so bad with banking. In some ways we have been lucky, but to be fa...
Broadband services are a wonderful innovation of our time, using multiple frequency bands (hence the name) to carry signals over wires (us...
For many years I used a small stand-alone air-conditioning unit in my study (the box room in the house) and I even had a hole in the wall fo...
It seems there is something of a standard test string for anti virus ( wikipedia has more on this). The idea is that systems that look fo...
How do you handle the inevitable loss of the 2FA device?ReplyDelete
I've lost count the number of times I've changed phone or reset it without removing 2FA from accounts beforehand :-)
Comes down to policy and procedure with A&A staffDelete
I use Authy. Keeps all my 2FA safe for me. Re login on new device with an SMS sent to your registered number.Delete
So Authy knows your 2FA secrets. How much do you trust Authy not to reveal them (accidently or not) to the wrong person ?Delete
Random note: if you find it works with the authenticator on one machine but not on another, check the other machine's clock before assuming that the authenticator is buggy and spending ages hunting for a bugfix. In my case, it had drifted by 35s forward... :/ReplyDelete
Your systems is meant to allow for some drift. We allow 5 minutes but don't allow code sequence to go backwards or be reused.Delete
This is probably a double consequence of my testing on two devices in quick succession, one of which had a skewed clock, then :)Delete
(and the reuse prevention is of course why the reset period is as short as 30s, since every time you use a code, you can't re-authenticate again for on average half that long.)
Although I'll probably never be an AAISP customer (not planning to live in the UK) you should at least offer the option of using TOTP only (no SMS, maybe enforce backup codes too)ReplyDelete
Other than that, good work I must say.
As I say, use of SMS is configurable. You can set up without SMS option.Delete
Are you the first ISP to have 2FA for account and control page access?ReplyDelete
No idea. We have heard horror stories of such logins having passwords clearly visible to ISP staff (not even hashed) before.Delete
I *think* Vodafone enforces 2FA (via SMS) for all online access to the one's account.Delete
Office 365 does it, as does Azure, RIPE, Amazon, Dropbox, Facebook, and Google.Delete
That's the ones I've collected thus far... plus my work VPN one...
Fiddlesticks. So since I signed up for this, I killed my phone and at the time I was using an app that doesn't save your 2FA hash anywhere.ReplyDelete
So lesson to be learnt, use something like Authenticator Plus which allows you to sync between iPhone & Android using DropBox.
Also I appear to have not opted to allow for SMS reset which seems like a error, so guess I'll be phoning up on monday to get that reset!