I am really puzzled and scared by many modern “security” consultants who claim the smartphone to be the next security device or even my identification object. Knowing that
- the smartphone has more cores than most desktop computers,
- is connected faster to the internet (thanks to LTE) than most land line bound computers
- and most older smartphones get no software updates fixing security issues,
this is a really scary scenario.
And the scariest thing of all is, that most users are not aware of this and are installing third party applications (belittling it as “App”) by a blink of an eye or the touch of a finger tip. Waving through all rights and access grants such an “App” wants to get.
Knowing this I am getting sick reading sentences like that on a daily basis:
We can achieve the same level of security as from a physical token using a simple app and a public algorithm to generate Time-based One-Time Passwords (TOTP), for example.
This in fact is not true. A hardware token has NOT far as many attack vectors like a smartphone, from which you can steal the secret key, that is used to calculate the OTP values. TOTP (RFC6238) is based on HOTP (RFC4226) which relies on a secret shared key. This secret key is used to generate the OTP value. If the secret key is stolen from the smartphone either by
- physical access to the smartphone or
- by remote access via a trojan
the key is also known to the attacker.
And now comes the nasty part with TOTP: As TOTP only relies on the secret key and the time (which is known to everyone), an attacker can impersonate the user WITHOUT him NOTICING it. The OTP value an attacker generates will be a valid OTP value. The OTP value, the user generates a few minutes later, will also be a valid OTP value. The user will only experience a small “hickup” if he would try to authenticate within 29 seconds after the attacker did. Would the user care? Or would he just try a second time?
Don’t get me wrong. The smartphone with a Google Authenticator or FreeOTP is a great device to increase security in an easy and CHEAP! way. But it has those problems a hardware token does not.
A preseeded hardware token of course has the problem, that the secret key was installed at the vendors site and I do not ask you to trust the vendor.
But there are also hardware tokens that you can initialize yourself. Then you are the only one who knows the secret key and the secret key can not get extracted from the hardware remotely.
So it is important to know what you are doing and decide which level of security you want to achieve. But it is a sham telling that a smartphone will get you the same level of security as a hardware token does!
Luckily you can choose what level of security you want to achieve, when using privacyIDEA.