Doesn’t this defeat the whole point of an authenticator?

2013-08-21

WinAuth isn’t trying to be a replacement for a physical authenticator key chain device or even a mobile phone with an authenticator app running on it. It is an alternative or backup solution.

If you are looking the absolute best security for the service you are using, it should be a physical YubiKey, RSA token or DigiPass. They cannot be compromised and the keys within them cannot be stolen. They, of course, can actually be physically stolen or misused, but then all authenticators are still vulnerable to physical access. If I steal it off you (and I know your password) I can access your information.

Multiple authenticators

But can you imagine having a key ring with 15 key fob devices hanging off it. Suddenly it is very impractical.

Enter the smartphone. Now you have a device that can be configured through software to run the same technology. You can have your Google Authenticator app. Microsoft authenticator app. Bitcoin authenticator app. Battle.net mobile authenticator app. Rift authenticator. Lots and lots of applications. All storing their secret data on the smartphone. Unencrypted. Wait, what? Yes, Google, and other developers of the Android authenticator apps don’t actually encrypt the secret keys used to seed your authenticator. It’s there, in an SQLite file. They claim this is fine as apps cannot access each others configuration data, but they can if the phone is rooted. And with the right permissions could read everything you have.

Stolen phones

And what if someone grabs / steals / borrows your phone. Be honest, do you have a password locked phone? Probably not. Those apps can be run, no passwords needed, codes are visible. Your phone could even be rooted and the secret keys read right off.

Fortunately your phone probably has an automated backup running on it. Syncing to the cloud. Right? When did you last test that? Does it actually have all your recent data? How long does it take from your phone being stolen to you being able to recreate a recent copy of your phone with all your apps and previous data, so that you can open up one of your authenticator apps? Longer than it would take someone to issue a password reset on your Google account and enter the authenticator code from your phone? Probably not.

But this is the best we have. A separate device performing the function of the two-factor authorization. Good. Unencrypted data. Subject to physical vulnerabilities and unprotected access. Potentially long restore times. Bad.

Winauth 3.0

So add your authenticators into WinAuth too. Now you have a backup on your computer. They cannot be accessed without your password. It cannot be brute forced. Each authenticator can have an additional password to spread the chance of compromise. Even if the file were copied it would be unreadable as it was locked to your Windows installation. Someone actually has to sit at your computer in order to use it. You might notice.

Same device you might use to access your account. Bad. Encrypted and protected data. Reduced physical access and protected access. Synced to your Dropbox / Drive account for immediate recovery. Good.

Sometimes security is a balance.

 

 

Photo credit: Edwin Sarmiento, West Midlands Police