The author seems to not have heard of hardware tokens to store your MFA.
It’s not linked to a single device (you can get your codes on a computer, phone or tablet), it doesn’t require you to be “online”, and you use them for OTP, passkeys and whatnot.
FWIW this is why it's a good idea to have two MFA mechanisms. If you can afford it I recommend getting 2 hardware tokens, and storing them separately (you can leave one in your computer, hard to lose).
My point being is that by not having hardware based MFA, but still have a form of soft token MFA doesn't make the IT personnel completely incompetent or negligent.
Not requiring MFA at all and having weak passwords would be an example of that.
You actually can't mix hardware tokens and OTP apps. You're only option is to scan the code twice and skip hardware tokens entirely (which is quite reasonable, as the recovery for an app would be easier than for a failed/lost hardware token).
Note, though, that the new SSO login actually supports MFA in a normal way.
It'd be nice, but support for them around the web seems to be mostly terrible. Only a tiny handful of sites support it at all, and most of the ones that do support it don't support more than one, which seems kind of essential to actually use it long-term and guard against the tokens breaking or getting lost or damaged.
One area where hardware authenticators work really well is where you want to split access to an account, or have some accountable/logged procedure for it. You put the physical token in an envelope and in a safe/put it in the control of a finance person. Tech people have the password, but need to request the token to do logins.
This also requires having role accounts which aren't able to reset authentication settings when logged in, though, to really be good (or else you just disable tokens on first successful login).
Also works well for paranoid people who don't trust their phone, or people who log in only from a phone/tablet and thus where MFA is really one-device-authentication.
How do you proxy MFA unless you're using a third party service for authentication? Plenty of password apps can bind to specific URLs and ports to support TOTP. In what ways do you think it is more secure if an authentication provider gets hacked? Then they could just as likely proxy the hardware token handoff. I don't think hardware tokens are all that much better than someone who is more security conscious, but they are certainly great for people that have no clue what they are doing or just one step in a MFA process.
You are supposed to have multiple hardware tokens all enrolled so you have backups.. but the hardware tokens are a bit pricey and several implementors have failed to read the spec and only let you enroll a single token.
Ok, please don't take this the wrong way, but you guys don't seem to know enough about security to be running this kind of service. Being able to access your MFA token from multiple devices defeats the purpose of it being a second factor (since it's must exist only in a single place to be "something you have"), and now you're recommending a backup passcode with less security than WPA2 - a passcode to a backup that by definition should not be allowed to exist.
It's bad enough that Google's TOTP keys are too short (80 bits, below the required 128 and recommended 160+), especially given the clarity of the spec and the size of their organization, nevermind being the first large-scale rollout. It's also unfortunate that they half-assed their Authenticator app, which hasn't seen an update in over two years. At least they've had the good sense to improve the workflow of regenerating a token for a new device.
I appreciate the problem you're trying to solve and am aware that there tends to be a lot of headache in additional security, but doing this kind of thing provides a false sense of security if not outright lowering the security of what already existed. If I can get access to my MFA tokens by typing in a password, then it's a knowledge factor and not a possession factor. That's one-factor auth with two passwords, like the "security" questions on many banks.
They let you enroll a hardware token after you enable either a TOTP or SMS 2FA method. No idea why, seems to defeat the point of the additional security that a hardware token offers.
While mitigating a number of attacks, MFA with these types of physical tokens is still only as strong as their setup/enrollment process, which in many cases can be compromised via phishing.
From my experience, there’s a difference between trying to compromise someone with good opsec (many readers of hacker news) and compromising regular non technical people
it only permits a single hardware token to be registered to an account
so good luck if you misplace or break your hardware token
reply