Yeah, and the new Apple Passwords app is incredibly convenient too! Authentication is as simple as touching the fingerprint scanner to fill in first your username and password, and then TOTP ā no need for a separate app to handle TOTP like Google Authenticator or whatever.
I also wonder if it works similarly in Microsoft? Also, do you know if Microsoft uses E2EE for handling this type of user data?
Microsoft stores the TOTP token in a blob on your onedrive, I believe this is encrypted. I would assume E2EE.
Authentication is as simple as touching the fingerprint scanner to fill in first your username and password, and then TOTP ā no need for a separate app to handle TOTP like Google Authenticator or whatever.
This is no longer 2FA. Donāt store your TOTP tokens in your password manager.
This is a useful article + youtube video before I go too far off topic.
Typically useless! Not everyone has or (cares to have) āonedriveā.
Trust Microsoft to be different!
Really? Where exactly?
Whatās the attack vector? When you use Google Authenticator or Microsoft Authenticator, storing tokens in their cloud is different from Appleās model. Both Google and Microsoft now offer cloud backup options, but they donāt seem to provide the same level of E2EE as Appleās Advanced Data Protection. This means Google or Microsoft could access your tokens, or they could be exposed if their cloud gets compromised.
And, even if they offered E2EE like Apple, itād be still hard to trust them, since they generate most of their revenue (Google in particular) by using or even selling user data for advertising purposesā¦
- The JWE and the Key ID are then uploaded to the appropriate cloud storage:
- For Android devices, they are stored in Microsoftās cloud storage provider and tied to the userās personal Microsoft account.
- For iOS devices, they are stored in iCloud and tied to the userās Apple account.
If I can find where Steve Gibson security expert says on his podcast that doing this is bad I will post back. but if you only need to authenticate once then this is 1FA, not 2FA.
Correct, and this is why you should not use the Microsoft, Apple or Google Authenticator apps. Using these has many issues, such as you cannot backup your tokens locally and the Microsoft 2FA infinite login loop.
I recommend 2FAS, see my article for my reasonings and researchā¦
You can save your tokens during registration, store them in an encrypted plain text file, and back them up to a E2EE cloud service like Proton or iCloud. I think thatās plenty secure.
What do you mean by saying āif you only need to authenticate onceā?
It seems like a cool app, however it does not seem they mention using E2EE for its cloud sync featureā¦ Thatās risky.
Thatās the backup feature of MS Authenticator and has nothing to do with the token storage location (which isnāt situated in OneDrive anyway). If youāre worried about, then just donāt enable the backup and youāre good to go.
You can save your tokens during registration, store them in an encrypted plain text file, and back them up to a E2EE cloud service like Proton or iCloud. I think thatās plenty secure.
This is not practical (for me at least). I know what you are saying when you register you can export the keys from the particular provider or login in to that website and usually download them gain. But some only allow you to do this when you register.
What do you mean by saying āif you only need to authenticate onceā?
Above you said the apple things works by you only being required to use your fingerprint and then the phone enters your username and passwords + the TOTP, this is 1FA. It does not matter what details it fills in, I only need your fingerprint or to get passed that.
A chain is only as strong as the weakest link.
Donāt use Microsoft Authenticator, it is a terrible app.
The browser extensions is, so maybe the phone app is aswell.
All communication between your phone and your browser is end-to-end encrypted by default, using RSA OAEP encryption with SHA-512 algorithm.
Please do me a favour and explain why.
I didnāt say phone. Lockdown modes can disable biometrics, but that doesnāt make it 1FA. 2FA is about the service itself, not how you manage TOTP tokens or store data.
I already did.
- infinite login loop to some Microsoft products
- If you do not install the app correctly on a new device it will wipe out your token blob on the backup, then they are gone for good.
- You cannot export tokens from your phone locally
Thats where we differ. It does not matter how many services are required to login into a system if you have one single authentication required and you login with that that, then it is not 2FA.
I run bitwarden and it offers a TOTP storage option. If my Bitwarden gets hacked and someone access the vault which stores my TOTP and passwords, then they can access everything. If my TOTP are stored elsewhere like 2FAS then they would need this as well.
I will never use bitwarden to store my TOTP for this reason.
I think the best is to backup and store your TOTP tokens encrypted on an encrypted drive and/or in an encrypted cloud. That way, you have them in plain text when needed and have full control of.
In the end, you donāt need any of those authenticator apps ā you can just use the oathtool command-line util.