fido2support
-
by the way, that link was a link from security now, a podcast i regularly listen to.
here is the official duo security address.
my business has used it before, so i think its pretty good at what it does. -
@girish and @nebulon There's another resource like passwordless.dev that is maintained by members of the W3C and FIDO Alliance team that developed passkeys: https://passkeys.dev/ Even if it's tricky to implement passkey support for applications we host in Cloudron, being able to log in to the admin panel with a passkey would be massive as this provides the security of PKI encryption without the overhead nightmare of running a certificate authority.
It includes libraries and guides for thinking through the implementation. Mastodon handles are on the landing page, too, if you have questions. They maintain the site on their own to help orgs looking to adopt passkeys and one of the maintainers is the author of the SimpleWebAuthn (https://github.com/MasterKale/SimpleWebAuthn)
Bitwarden supports passkeys with their iOS mobile app now and in their beta Android app, and 1Password supports them in both mobile apps, so the ecosystem is at a point where there's full cross-platform support (except Linux dammit, but browser-based passkeys will work on Linux) and it's not just iOS or Chrome Password Manager.
-
i'm glad i've made this more of a trending topic on the forum.
this should push more support for FIDO in cloudron. -
-
FID02 would be a great security upgrade
-
I did a test today on a laptop running ZorinOS 17.1 with kernel 6.5.
I can confirm the two-way operation of the system using a QR key with Apple iPhone. On the website 'passkeys.io' I was able to write the key as well as read it.
-
@matix131997 o cool!
-
To add my 2p to this topic: I currently cannot recommend Cloudron to businesses as OTP is phishable.
My recommendation to clients is usually to go with FIDO hardware keys and/or passkeys - especially for mission-critical stuff, thus I cannot recommend Cloudron because it does not support it
Ref. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf, https://www.sectigo.com/resource-library/how-phishers-take-your-one-time-passwords, etc
-
@3246 said in fido2support:
To add my 2p to this topic: I currently cannot recommend Cloudron to businesses as OTP is phishable.
That is exaggerated b/s. OTP is still an industry standard and a good balance between security and convenience (important if you want your 3,000 employees to comply with it!). The article argues that since a bad actor may convince you to reveal your OTP in some other channel, itβs insecure - well, you can hardly get security against stupidity.
And I know many companies who have moved away from hardware keys or cards because of the excessive downtime when users forgot those hardware keys somewhere. -
Anything that can be phished will be phished. Seriously, though, I just want Cloudron to support better security, and FIDO2 beats OTP. I found getting keys physically or software into users' routines easier than getting OTP codes through apps or (shudder) SMS or Email.
I always try to design for as much stupidity as possible. Users display an amazing capacity for finding ways around security tactics. It's worth making that part of the research during the design phase I think ;-0
What's your experience been?
-
@necrevistonnezr said in fido2support:
And I know many companies who have moved away from hardware keys or cards because of the excessive downtime when users forget those hardware keys somewhere.
Ah, yes. That could be a hindrance or mild annoyance. I find that having a password manager that supports passkeys is helpful as a fallback or a primary way to log in. That, or having users have two physical keys ideally. How do you create backups for FIDO2 keys?
-
There is a meme going around as follows...
"There are two types of companies: those who have already been hacked, and those that don't know it yet". @3246 I laughed when I saw the source of the article you posted. Perhaps you have also seen that CISA itself has been hacked: CISA Hacked - CNN, March 2024. No one is immune. No one is too safe. No one is invincible.
All of your points are valid. I have also seen insurance companies that sell cyberliability policies offer to store a cookie in your browser and bypass 2FA. I have also seen banks do the same. That said, we should do everything we can to strengthen our authentication systems (including Cloudron) and I agree with @necrevistonnezr that balance is the key. A hard to use security mechanism will cause users to scream for a bypass (like the aforementioned cookie fiascos). And lost or forgotten hardware keys will likely require another alternative - reducing the intended level of security.
I have no doubt that Team Cloudron will consider adding more secure authentication mechanisms in the future and I support that effort wholeheartedly. But in the interim, I would encourage others to consider the risk/reward tradeoff offered by Cloudron. Personally, I have not seen a better platform and not found a better community of colleagues to dialogue about issues such as this.
-
@3246 you cannot.
the key cannot be backed up because it is at the OS level.
however, some password managers, such as bitwarden (my favorite) can store your passkeys in the cloud, but that's it.
other than that, the closest thing you can do is create 2 separate keys on 2 different devices.
backing up the key, though, is not possible.
and even if you did get in, you still wouldn't be able to get in from the outside.the best thing a hacker would be able tto do is do a sohisticated enough man in the mittle attack, and force the user to change to SMS or a less secure version.
and good luck with that, because my Google account has the Google advanced protection program which as I describe it as the secret service for Google accounts.
which is good, because Google seamed to have gotten hacked very recently. now I wish I can claim 5000 dollars from it, but at least i'm secure. I wanted to claim 5k but I cant because I wasn't involved in this breach.
now I'm gonna turn off advanced protection and I will create a shorter password that way I can claim 5k next time.
I'm kidding, I'm kidding.
but anyways, hope that answers your question -
@3246 said in fido2support:
To add my 2p to this topic: I currently cannot recommend Cloudron to businesses as OTP is phishable.
My recommendation to clients is usually to go with FIDO hardware keys and/or passkeys - especially for mission-critical stuff, thus I cannot recommend Cloudron because it does not support it
Ref. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf, https://www.sectigo.com/resource-library/how-phishers-take-your-one-time-passwords, etc
what you could also do is see if you can get bitwardens business plan, and have it self hosted. then , you could setup a policy that forces all users to login with their passkey. then they could put their TOTp tokens in there.
this does take a little longer, but it's better than nothing. -
also I can agree with you
I tryed giving them resources, like this1 and the users could sign up for the service, and all they would have to do is put in their API key then boom. it would work -
@3246 yeah, I'm a hacker myself, so I know how that shit works.
not to mention the fact it's a 6 digest code. I mean sure, it changes, but some hackers could get lucky.
it becomes even worse when you consider the fact that some apps cloud since. and if you can get say, authy, and get the phone number and they have it since in the cloud, or even more worse, you end up getting a bitwarden csv file that is unencrypted, they could get not just your TOTP but potentially your passwords and your Elon musk crypto YouTube channel. -
@necrevistonnezr said in fido2support:
@3246 said in fido2support:
To add my 2p to this topic: I currently cannot recommend Cloudron to businesses as OTP is phishable.
That is exaggerated b/s. OTP is still an industry standard and a good balance between security and convenience (important if you want your 3,000 employees to comply with it!). The article argues that since a bad actor may convince you to reveal your OTP in some other channel, itβs insecure - well, you can hardly get security against stupidity.
And I know many companies who have moved away from hardware keys or cards because of the excessive downtime when users forgot those hardware keys somewhere.I mean, he's not wrong though. I've had some experience in this field.
and sure, TOTP is good, but what use is it if you can fish it, from a tool like the social engineering toolkit or even better, get some TOTP secrets someware, weather it be from a server breach, or from a hacked device.
o, especially if there's malware on the machine but at that point, you're fucked already.
what I actually did was I setup a policy that only allowed I think 2 rules, allow passkey and allow yubikey OTP, and deny everything else.
users were allowed to use duo on our password manager self hosted, but even then you were only allowed to use u2f keys.
of course, you could also use nitrokey, Wich imo is better than yubikey in some ways, though you don't get that yubikey OTP thingy I talked about earlier. though you can do stuff like encrypted and or hidden storage, and even some hardware level boot security using pureboot, an alternative to UEFI.
here's the software, if anyone's interested -
@crazybrad said in fido2support:
CISA Hacked - CNN, March 2024
so the CISA hack was not a fishing attack at all, far from it.
so what the hackers did in this case was they found what's known as a zero-day flaw.
this is a flaw that exploits a system, but it's a very brand new exploits. almost like a new candy bar. no one knows about it. similar to the zero-day, no one knows about the exploit.
in this case, it was a zeroday in a VPN product known as ivanti, whichis a , well, VPN, but not like the 1's you all might be used to, like serfshark and express VPN.
they use protocols like openVPN which you all may know, and you put it in your network or a dedicated device to act as the kinda gateway.
I think this product would actually go against the NSA commercial solutions for classified (CSFC) components list which ironically, I don't think the CISA follows.
it is in the NIAP-CCEVS compliant product list, but I don't know if it's certified. I don't think it is.
ok nevermind, it is certified by acumen security.
but yes, they did have to take offline their kemical testing tools I think.
nevertheless I think it should be taken off that list considering how bad it hurt certain government agencies.
and even then, there shsould've been some testing with that update, which ever update had the critical bug.
o and furthermore, fuck proprietary VPN tools.
I don't care if you're in a government agency, you should use one source security tools, like wireguard or zero-trust tools like cloud flare gateway, which has user-based authentication.
in fact, check this out.
I know, I got off topic there, but I really needed to stress that.
back to the topic of fishing though, zero-days are commonly worse than fishing and offen have nothing to do with fishing, unless the CVE in question requires the user to be authenticated.
and at that point, you better have your users trained. -
I think they fixed it a month after the insident see this from ivanti connect