Shifting from passwords to more secure systems such as MFA ignores the elephant in the room about passwords that no-one wants to acknowledge: People share passwords.
A simple example is this: A couple do online grocery shopping every week or so, depending who has time to do it, one them will log into the 'account' and build the basket. Maybe the other will then amend the basket a few hours later before the cut off time. With enforced MFA, this is not possible.
There will always be a small percentage of situations where '1 person = 1 account' will never be true. Until providers add the concept of multi-logins to the same 'account' on their systems you can't wholesale move to stronger security methods.
I have the same issue with all these 'smart home' products that need an app installed onto a phone or tablet. A lot of them are bound to a single account, which means if other people in the household also want to have the app, you have to share your account details. if it's a Google or Amazon product, that means you are sharing account details of an account that you really shouldn't be.
YouTube has this problem to an insane degree, some large businesses are run from a single person's long standing Google account and there's no way to give another YouTube account any privileges you might want an employee to have without giving them access to your entire Google account and all attached services including your emails, the ability to locate and wipe your phone, all the photos on your phone via Google photos, your calendar for it's entire history, I could go on.
It's completely insane, and the closest they've gotten to adding anything like this is letting people have comment moderators on live streams, not videos where people have wanted comment moderators from day one, just live streams.
Can't you just convert the channel to a brand account the associate new people? Has worked for us for years and afaik people don't have access to anything other than YouTube.
I agree sharing passwords is a really common thing, even among corporate / enterprise SaaS. Even with MFA people share dongles / code pads.
But the correct pattern is a formal system for delegation and/or disconnecting 'login' with 'account' (i.e. separate charging for a service from the login). This is something that AWS does very well for example.
Exactly, built-in delegation and impersation features solve this. AWS IAM and Kubernetes have great implementations. Hopefully we get some more standards like OAuth so people talk about this stuff more.
On the consumer side there's also the various "Family Sharing" systems that are only now in their youth. I think that's a "digital asset rights" fight waiting in the wings that some sort of "family sharing" should probably be guaranteed (by laws, probably), including to answer questions of proper transferal of "ownership" (right now "family sharing" in most cases isn't something that you can gift in a will/estate; most digital asset accounts aren't considered survivable after the death of their original user).
There are so many interesting legal questions about digital assets that we're all afraid to ask, but probably should be solving today (if not yesterday).
MFA does not mean no sharing. It is trivial to setup up multiple credentials for the same account. You can easily have two different fingerprints setup as 2FA from two different devices for the same account. Most services let you have backup codes and dongles already. This is mostly an issue of education. We already see a lot of these kinds of other factors like sending a message to device 1 when provisioning device 2.
> It is trivial to setup up multiple credentials for the same account.
Unfortunately, some very popular 2FA keygen apps can't handle multiple device linked to a single account. I have a well-known service provider that uses a well-known company's app for 2FA. Unfortunately, this app has to be reset to a new device code on changing of the phone's sim card. I wanted to set up two sim cards so I could switch between them for a trip overseas but this is not supported and my service provider does not support other 2FA such as Google or MSFT's app which are not tied to the sim card.
When I opened a new joint bank account with my wife, the branch manager was helping set us up for online access. I asked about having our individual logins linked to the joint account. He said they couldn't do that, and we had to share the login for the joint account. I pointed out their TOS had just forbidden us to ever do that. He agreed it was stupid, but they had no other option available.
MFA doesn't necessarily mean "1 person = 1 account". TOTP codes can be shared, there can always be copies of the certificates, multiple security devices added to the same profile, etc. It differs from case to case.
Which as I say, all depends on the provider implementing these extra options, in a way that the layperson can use.
To me, TOTP means 'Top Of The Pops', I had to Google your acronym! How is Grandma Alice going to be able to manage these extra steps? - It's already taken over 20 years to convince people that 'Password1' is not a good password.
Do laypeople know or care about the details of password hashing too, and if not does it matter if they know what TOTP stands for?
“Scan this barcode then enter the six digit number from the app; we’ll sometimes ask for the number when you log in” isn’t particularly onerous - 1Password for example will insert your one time pass along with your password so in some cases there isn’t even an extra step to log in. I’d be more worried about people losing/wiping phones and getting locked out of their logins - who needs those backup codes, right?
That argument surely holds if you’ve got Google Authenticator and 1Password installed on the same device?
If someone gets your vault password and can unlock your phone, you’re toast, but SMS as a second factor is then also compromised so what usable (since this thread started as trying to sell MFA to lay people) options do you have (other than maybe a Yubikey)?
They might be a preference but I don’t see how they can be best practice when they’re barely supported on a lot of platforms - Firefox has some support (but doesn’t work with, for example, Github), no/limited support in Safari, no/limited support in mobile devices.
U2F on Firefox works well GitHub in my experience; it's Google that's the problem. Mozilla have added a shim to enable login to Google using a key but (due to spec deviance) if you want to add a key you still need to use Chrome :(.
Oh for sure, and if Safari (including iOS) gets support we'll be golden across the board [1] whereas U2F was until recently pretty much Chrome-only [2]. It just can't happen soon enough!
As long as it is in a place that you 'have', I believe we can technically count it as MFA.
After 1Password introduced MFA (TOTP) support, it has been used widely in organizations in shared vaults so multiple people can share critical logins that use MFA. This of course means that if your 1Password account is compromised it's game over.
Most users with TOTP assume that TOTP is bound to their app (often Google Authenticator without a backup option / migration path AFAIK). Technically, you are of course fully correct.
> There will always be a small percentage of situations where '1 person = 1 account' will never be true.
I agree, but this isn't an argument against the obsolence of expiring passwords regularly.
I imagine people sharing passwords are even MORE likely to share passwords in insecure ways if they are forced to change the shared password at a regular interval.
So I register with my phone number, I get an OTP (via SMS) and login into the system to add stuff to my basket, etc. My wife also logs in from her phone, but rather than registering afresh, uses my phone number. Now I get another OTP which she uses to login from her phone. That's it. Same account is logged into on two different phones and the login persists.
I don't know if this is by accident or design, but it works. Hopefully it'll continue to work, and they don't try to "fix" it because it wasn't meant to be that way...
That still doesn't mean forcing frequent password changes becomes better... Usually it means COMPLEXPPASS!### where ### is incremented through each refresh, until you can reuse 1 again.
What would be better is forcing a passphrase change when a user on an account leaves.
This does not negate other security practices... however, frequent changes leads to less security, not more, generally speaking.
Wow, you nailed it. Your post describes our household precisely. The only shared password I have is with my spouse for a grocery list app. The most annoying account problems we have are with accounts for household gear such as wifi-aware garage door opener and pool pump.
You shouldn't take that shortcut over the lawn either. There are two answers to that very basic design problem:
1. Build higher fences to force people to walk along the prescribed path. This is often met with resentment, and various attempts at climbing the fence, or even cutting it down.
2. Lay bricks along the new organic path, so that it's safer to traverse.
I like the latter choice.
The principle is just about the same in the digital world.
> Shifting from passwords to more secure systems such as MFA ignores the elephant in the room about passwords that no-one wants to acknowledge: People share passwords.
In real life, people share keys too. So in some cases the "key" should probably be the metaphor, and it could be implemented by a dongle.
A simple example is this: A couple do online grocery shopping every week or so, depending who has time to do it, one them will log into the 'account' and build the basket. Maybe the other will then amend the basket a few hours later before the cut off time. With enforced MFA, this is not possible.
There will always be a small percentage of situations where '1 person = 1 account' will never be true. Until providers add the concept of multi-logins to the same 'account' on their systems you can't wholesale move to stronger security methods.
I have the same issue with all these 'smart home' products that need an app installed onto a phone or tablet. A lot of them are bound to a single account, which means if other people in the household also want to have the app, you have to share your account details. if it's a Google or Amazon product, that means you are sharing account details of an account that you really shouldn't be.