Viewing a single comment thread. View all comments

happyscrappy t1_j2e4lnp wrote

You don't type anything in.

There's no shared secret like TOTP has. With TOTP the shared secret is not conveyed with each auth, that is a step up. But with systems that use PKI there is no shared secret ever conveyed. So there is no information the online service holds that could be leaked (or stolen/sold) which could be used to authenticate as you.

Honestly, the your shared TOTP secret is likely unique per service so someone stealing it from the company could probably only use it on that service anyway.

But also TOTP is nearly never used as primary authentication. It's just a backup to prevent replay attacks (key loggers).

These PKI card systems have been around a long time. They are one of the earliest "smart card" systems, from the 1990s. They could be made cheaply, but the biggest issue is you always need to have a reader with you to employ them. With TOTP you can just type in the number on the screen on a normal keyboard (or screen keyboard). Getting those readers around ads a lot of cost.

Which is why the modern versions of those cards generally just use USB. That's near ubiquitous now. Soon even all phones will have a USB-C port.

14

Boring_Ad_3065 t1_j2f7rwd wrote

You still type a PIN in for a CAC / PIV. The readers used to come standard on many laptops (the card was inserted and stuck out a bit over a centimeter, barely noticeable) Now they’re a $10-20 accessory, not terribly pricy but annoying if you move a lot with your laptop.

As far as token fobs with OTP, it depends. The RSA hack affected all customers and allowed the hackers to generate the OTPs. Not sure about the two Okta breaches, but there’s only a handful of providers (though MS, Google, and others all have their own), so a breach in one can affect hundreds of companies/services.

https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/

https://techcrunch.com/2022/12/22/okta-breach-source-code-github/

7

happyscrappy t1_j2faf0d wrote

> You still type a PIN in for a CAC / PIV. The readers used to come standard on many laptops (the card was inserted and stuck out a bit over a centimeter, barely noticeable) Now they’re a $10-20 accessory, not terribly pricy but annoying if you move a lot with your laptop.

The PIN is not a shared secret. You don't type anything in that goes to the service on the other end. The PIN (if used, and it often is) just enables the card. The card does the entire transaction with the other end using a key in the card. A key that is never sent out of the card, not even during account setup.

> As far as token fobs with OTP, it depends. The RSA hack affected all customers and allowed the hackers to generate the OTPs.

Those aren't TOTP. I didn't know those RSA fobs (mine was actually credit card shaped) were even used anymore. They basically work like a rolling code garage door. Either way there is a shared secret, when the fob was created a key was either sent into it or out of it. The other end of the connection uses that shared secret to generate the same sequence as the card is generating.

With a CAV/PIV the private key needed to authenticate is neither sent into nor out of the card ever. It's not stealable with a hack by the manufacturer or anyone else. No one else at all has the key. In theory it can be extracted from the card. They try to make it difficult though. You operate under the theory that the key didn't exist before you generated it. And after that you've had sufficient custody of the card that no evil maid had time to get it out.

2