Submitted by Ssider69 t3_zzv7s4 in technology
Comments
Fragmented_Logik t1_j2e1k2x wrote
What's the difference between that and something like a fob? I work for the government and we use fobs. Are they that expensive? It always just seemed like a little battery that would have to be replaced to me lol
happyscrappy t1_j2e4lnp wrote
You don't type anything in.
There's no shared secret like TOTP has. With TOTP the shared secret is not conveyed with each auth, that is a step up. But with systems that use PKI there is no shared secret ever conveyed. So there is no information the online service holds that could be leaked (or stolen/sold) which could be used to authenticate as you.
Honestly, the your shared TOTP secret is likely unique per service so someone stealing it from the company could probably only use it on that service anyway.
But also TOTP is nearly never used as primary authentication. It's just a backup to prevent replay attacks (key loggers).
These PKI card systems have been around a long time. They are one of the earliest "smart card" systems, from the 1990s. They could be made cheaply, but the biggest issue is you always need to have a reader with you to employ them. With TOTP you can just type in the number on the screen on a normal keyboard (or screen keyboard). Getting those readers around ads a lot of cost.
Which is why the modern versions of those cards generally just use USB. That's near ubiquitous now. Soon even all phones will have a USB-C port.
Boring_Ad_3065 t1_j2f7rwd wrote
You still type a PIN in for a CAC / PIV. The readers used to come standard on many laptops (the card was inserted and stuck out a bit over a centimeter, barely noticeable) Now they’re a $10-20 accessory, not terribly pricy but annoying if you move a lot with your laptop.
As far as token fobs with OTP, it depends. The RSA hack affected all customers and allowed the hackers to generate the OTPs. Not sure about the two Okta breaches, but there’s only a handful of providers (though MS, Google, and others all have their own), so a breach in one can affect hundreds of companies/services.
https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/
https://techcrunch.com/2022/12/22/okta-breach-source-code-github/
happyscrappy t1_j2faf0d wrote
> You still type a PIN in for a CAC / PIV. The readers used to come standard on many laptops (the card was inserted and stuck out a bit over a centimeter, barely noticeable) Now they’re a $10-20 accessory, not terribly pricy but annoying if you move a lot with your laptop.
The PIN is not a shared secret. You don't type anything in that goes to the service on the other end. The PIN (if used, and it often is) just enables the card. The card does the entire transaction with the other end using a key in the card. A key that is never sent out of the card, not even during account setup.
> As far as token fobs with OTP, it depends. The RSA hack affected all customers and allowed the hackers to generate the OTPs.
Those aren't TOTP. I didn't know those RSA fobs (mine was actually credit card shaped) were even used anymore. They basically work like a rolling code garage door. Either way there is a shared secret, when the fob was created a key was either sent into it or out of it. The other end of the connection uses that shared secret to generate the same sequence as the card is generating.
With a CAV/PIV the private key needed to authenticate is neither sent into nor out of the card ever. It's not stealable with a hack by the manufacturer or anyone else. No one else at all has the key. In theory it can be extracted from the card. They try to make it difficult though. You operate under the theory that the key didn't exist before you generated it. And after that you've had sufficient custody of the card that no evil maid had time to get it out.
Bloody_Smashing t1_j2epqkf wrote
Yubikeys are about $50 each.
ThellraAK t1_j2fugh1 wrote
And you need at least two to use them correctly.
Boring_Ad_3065 t1_j2f8j2k wrote
It’s mostly the physical element to verify the user. For CAC/PIV, it’s an ID badge that also has RFID that some buildings use for building/room accesses, so basically IT security + corporate badge in one.
The RSA fobs are at least as secure, I assume, based on how I’ve seen both used.
https://www.nist.gov/identity-access-management/personal-identity-verification-piv
EvenLeague t1_j2e7uve wrote
Physical keys aren’t feasible for the vast majority of users out there. They get lost, they stop working, and they can be a pain many times since most sites don’t invest in good UX for their login experience.
Companies can pull this off as they have dedicated ops teams that can support the user base.
fluffysunshinerabbit t1_j2eu9hf wrote
With upcoming passkeys support on mobile devices most people can already use this technology without additional hardware
npc48837 t1_j2f9hyv wrote
I have a Yubikey 5C, it has a standard USB-A port for computers, I can use an A to C adapter for my iPad, and NFC on my iPhone. Haven’t had any issues with it in almost a year.
LeonardDeVir t1_j2fe866 wrote
Until the phone is gone or needs to be replaced.
garlopf t1_j2eo646 wrote
Guide for those that don't know: for every randomly selected typeable character you add to you password, it will multiply the number of combinations by around 60. So if your password is 3 characters, that means 60 * 60 * 60 = 60^3 = 216000.
Computer systems exist that can crack passwords by testing each combination one by one (a.k.a. brute force) and their capacity doubles roughly every 2 years. Currently the best of them are assumed to be able to crack passwords of 12 randomly selected digits within "reasonable time". These are farms of hundreds of computers each testing combinations at millions per second for days, months and years.
So if you select a password with 20 randomly selected characters, you will have a nice margin of 60^8= 167961600000000 longer time to crack than what is reasonable by the best technology of today.
You can stay at this edge by adding another randomly selected character every 60/2=30 years.
MastodonVegetable302 t1_j2es4a9 wrote
Are you talking about where the hashes have been stolen?
[deleted] t1_j2es7fo wrote
[removed]
underwatr_cheestrain t1_j2dr0am wrote
Zero knowledge auth
YardFudge t1_j2dxwpe wrote
US Govt has been using CAC / PIV cards for decades
The problem (and security) of all these hardware-based methods is that’s it’s very hard to replace …. meaning there must be a close to 24-365, usually in-person, process to validate a person as to unlock/replace the token/card. Thus it’s expensive — both to man that service and being unable to work while waiting for that service