Comment by LainTrain@lemmy.dbzer0.com on If you had to ruin an entire app/website by integrating automatic logout, which app would you choose to achieve maximum damage?

My guess is 2fa code apps. Why you ask? Because blizzard already did it. They use their own proprietary 2fa code generator app called battle net, so I have to use it. So after a few months/years of casually not using anything remotely connected with Mr. And Mrs. „Muttermilchknacker”

explanation

(A word derived from the „Panzerknacker” series of comics where the same named group of idiotic bandits try to break open a gold vault full of money, which I use since the scandal where someone stole the lactation bottle of someone working at Activision)

, I finally decided to try Overwatch 2 again, and when I tried to use my login app to confirm my login, I found myself logged out. And when I tried to log in again, I had to use the Authenticator, which I was logged out of, to use my authenticator, in order to log into the authenticator, in order to use the authenticator, in order to log into my authenticator (I could keep going like this forever)

Every morning at work it’s:

>Type in a password to Decrypt laptop drive

>Type in a password to Sign in to laptop account

>Type in a password to Sign into 1password

>Copy password for okta from 1pw

>Use fingerprint to Unlock my phone

>Type in 2FA code from my phone Google authenticator into okta

>Finally log into outlook

>Need to log into a system not behind SSO

>Type in a password to Re-unlock 1password

>Oopsie-poopsie phone died!

>Charge phone for 5 min so I can turn it on

>Type in phone password because you can’t use biometrics after shutdown

>Open Google authenticator and get 2FA for system

>“Sorry your authentication attempt has timed out”

>Type in password to unlock 1password

>Copy password to system

>Type in 2FA code from phone

>Finally logged into system so I can do work

>Oh it’s meeting time anyway

>Meeting is 30 mins

>After meeting get back to the tab with the system

>“You’ve been logged out due to inactivity”

I’d honestly rather drink a verification can.

These systems are design by people who have never had to use them. Then implemented by people who need to justify their jobs.

Nah I work in cybersec, the reason these systems are in use is because of compliance standards that are created as insurance corpos have against each others’ incompetence during vendor reviews.

Problem is as anyone working in the corporate world can tell you they are infinitely incompetent and their reviews are a clown world clusterfuck. But that’s what they get when the unifying motivation is greed, and everyone is paid by the hour.

Personally seeing the C-suite with their rolexes and shit, I ain’t too fussed letting the clock run out due to their bullshit, I’m just gonna go play CTFs or make drum and bass.

I’m gonna have to disagree even though it is an annoying process listed above.

In this case there was a drive encryption password to prevent data theft if the device is stolen, OS login for user level access, a password keeper login at the application level, and MFA on a different app. That is 5 different auths (drive, os, pw keeper, email, MFA) for 5 unassociated objects managed by potentially 5 different entities. The only reason this was an issue was the dead phone for MFA, which is a user error. It super sucks that this is best practice because of bad actors, but this is baseline auth.

I am curious how you would do this differently though if you’ve got ideas. In this case, assuming the OS is Windows and email is Outlook, this could have all been handled with SSO, which would have only required the first two passwords, which is my daily work experience. However, I then get into Bitwarden and log into any not SSO apps I need and have MFA configured for all that support. I work remote a lot and my company is looking at an always VPN connection for everything. That would require me to go through another level or two of auth.

If the device is encrypted and single-user there is no good reason to require further login after the first. If user is AFK then it locks, but then they should only need to type in that password. All this inconvenience is due to overlapping security practices that aren’t designed together.

If the device is encrypted and single-user there is no good reason to require further login after the first.

The reason is non-repudation. Ignoring the fact that the drive’s encryption should have been handled by TPM and not be bothering the user, the drive encryption password does not establish who is using the laptop, only that they know the unlock password. Unfortunately, those unlock password are usually centrally assigned and managed, which means that they are not something that only the user knows. Also, it doesn’t have a good second factor. If the laptop is stolen, there is nothing keeping an attacker out, if they know the password. Their account, on the other hand, should have a password only the user knows. Yes, central IT can reset the password, but this creates logs which show the reset and can be used to prove that the password was reset, and who reset it. And the user’s password can be backed up with a second factor. So, a stolen laptop isn’t an easy on-ramp to the organization’s network.

As for logins after that, it gets harder to justify. OS, email and most web portal logins should be handled via SSO. For most users, this should mean that their drive gets decrypted via TPM, they type their password into the OS login prompt, deal with 2FA and that’s it. For users with admin access to stuff, there will be a separate login step when they need to elevate permissions, but that should largely be limited to IT staff and developers. For the original poster, it sounds like their organization’s IT is being run on a shoestring by someone who either doesn’t know or isn’t allowed to do it well.

If a password is centrally assigned and managed it is not a safe passqword, regardless of other security measures

That depends on the use case. For drive encryption, a centrally assigned and managed password is fine. It provides for protection of data at rest while also ensuring that a single point of failure (the user) won’t remove access to the data contained on the encrypted volume. Since it’s not intended to prove identity, that risk needs to be mitigated by a different control.

That’s the nature of how AD works. The vast majority of businesses operate in that manner. Maybe not so much assigned other than resets and service accounts, but they are managed centrally. My user password is stored on my companies AD. They didn’t know it, but it is managed there. That doesn’t make it a not safe password, but that’s also why other security is recommended instead of just one password.

My assumption was that the user sets the decryption password. Yes, if the decryption password is not your own then you may want your own password on top of that. The point was that there is in principle no reason for requiring the user to enter more than one personal password per session.

At most organizations I have worked at (both IT and cybersecurity), decryption keys will be centrally managed. With some technologies (e.g. Bitlocker), it’s possible to have multiple passwords which can be used to decrypt the drive, and it could be possible for the user to have one only they know. However, there isn’t a logging mechanism to verify which password was used to unlock the drive, leaving the issue of non-repudiation. This could probably be fixed by having some sort of system which logs which user unlocked the drive, but that would be a very hard thing to do securely. Any such log would need to be in a space the bootloader can reach and write to, and now that location needs to be secured in a way which prevents a malicious actor from modifying the log. At that point, we’re quickly arriving at having TPM and we might as well go whole hog and just do TPM and secure boot. Which is a great bit of technology; but, now only proves that the system hasn’t been tampered with.

As a tangent, the reason most organizations centrally manage drive encryption keys is the need to unlock the drive, in the event the user is no longer able to. If you win the lottery, turn your laptop in and run off to parts unknown, the organization may want to unlock the laptop to recover anything you were working on. So, they need access to the decryption key.

Ultimately the problem is that the encryption password and your user account password are solving different security problems and there isn’t a lot of good overlap between the two.

If my personal laptop is stolen, my drive encryption will protect my data. Without that, physical access is enough to pull info unencrypted. A user password will prevent OS access both locally and remote. If someone happens to get my password or bypasses my login somehow, I don’t want them to be able to open my email and read messages, or open a browser, go to a logged in Amazon page, and be able to order items. I personally don’t keep anything logged in and everything logs out when my browser is closed. It’s inconvenient, but to the tune of an extra minute each day to login to everything.

Really, you just have to decide your risk tolerance. Businesses have a lot at stake and therefore it behooves them to force strict auth policies. If you aren’t concerned about your personal stuff, set a login password if you want, and put your creds in browser, but I’d urge to at least use a password keeper over a browser.

I have to sign in to 2-5 programs to complete service for customers

I use shared terminals so I have to sign out when I am done

Each task takes about 3-4 minutes of computer work, feels like most of my time spent is typing in a 15 character password in 2-5 programs. I do this all day, 8hr shift, graveyards.

I just change a single digit number on this password when the 90 day rotation happens. Typing it in incorrectly 3 times gets me locked out, a call to IT. I work for tips, no time for that. My work environment is distracting, noisy and stressful, so even if I wanted to use “best practices” in choosing passwords, I really shouldn’t.

Management refuses to replace keyboards that aren’t in good repair. Several have keys that stick.

I type in a 15-char password probably 100+ times a day.

my phone is dead for 2fa

Lmao skill issue

Who tf keeps their phone charged all day bruh I’m not nearly addicted enough to this shit for thar

Do you not charge it when you sleep? I don’t even have to charge mine every day because it’s pretty new and I’m barely on it. And I use GrapheneOS so it’s debloated.

Probably just paranoid, but I can’t fall asleep if I leave my devices charging. There’s a nagging fear of the battery going up in flames while I’m asleep.

No? I don’t even know where my phone is until I need it. I don’t use it much.

who tf lets their phone discharge midday. does the battery only last 2 hours?

Who tf charges a phone EVERY DAY???

Mfer do y’all live on your phone?

m… me? sorry for offending you. I prefer keeping my phone charged instead of letting it comlletely discharge. no I’m not living on it, I’m living on my desktop.

also I only read lemmy on the phone.

Lol I’m not offended dw, was just a bit shocked that people make it a routine, because for me to go through the effort of doing that, it would mean i actually need my phone to be fully charged every day all day.

I genuinely have no clue where my phone is most of the time and even being medicated for ADHD I don’t see any need to spend precious focused hours on the effort if would take to establish any kind of routine around it.

I have a 6 year old phone which gets charged overnight as I sleep. It still makes it though the day. What the heck are you running which is chewing up your battery so badly?

I charge my phone like once every few days at most, closer to once a week and I don’t run anything, it’s only ever used for music playback and store payment when I’m running errands, banking stuff or authenticator for work.

Our ticketing portal likes to log me out on occasion.
And that can happen while writing a support-report or having the editor for the documentation open.

I had multiple times where I have written a report for a 5h remote and troubleshooting session only to get logged out and being prompted on 15 tabs to authenticate… (╯°□°）╯︵ ┻━┻)

A classic, yeah that was the reference

And that’s why I use a url on my desktop to a 2fa generator that also decodes it with the 2fa key as an argument. It’s like a password sticky note on the monitor, but for 2fa haha.

I would like to know more about this magic URL and how to set it up

I’ve found two that work but one is playing up, just append your key where there is [KEY] and save the shortcut

https://totp.danhersam.com/?key=KEY

https://2fa.zone/2fa/KEY (broken but https://2fa.zone/ works)

Example: https://totp.danhersam.com/?key=7J64V3P3E77J3LKNUGSZ5QANTLRLTKVL

Hey uh, is it such a good idea to send your 2FA key to some website on the internet?

Most certainly not! Haha, you’d need a lot more information than just the key like what the 2fa is for, a username and password. But if your internet access is ever spoofed by someone or there is a hacker that traces your IP address back and tracks your activity, that information can be found.

It should only ever be used for non important things.

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it’s welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
!lemmy411@lemmy.ca: a community for finding communities

_Icon _by _{@Double_A@discuss.tchncs.de}

If you had to ruin an entire app/website by integrating automatic logout, which app would you choose to achieve maximum damage?

Asklemmy

!asklemmy@lemmy.ml

Community stats

Community moderators