client
client copied to clipboard
keybase
[Feature request] Two-factor authentication
Title pretty much says it all. Passwords, even long ones can be brute forced, and once they're gone, they're gone. I'd appreciate even a basic 2fa using google auth (although of course open-source implentations are preferred).
just FYI: Google Authenticator is Free Software, released under the Apache License: https://github.com/google/google-authenticator-android (It's even available from F-droid's app store!)
Also, the auth methods of TOTP and HOTP are RFC and under the public domain for years. it's fully compatible with implementations in Microsoft Azure Authenticator, Keepass and the others out there.
Anyway, I vote +1 for TOTP and/or U2F, which I'm a very happy user of :-)
With the website login being an all-powerful poison pill to revoke all keys, I would feel much better if 2FA was an option.
For the app: Why have just a username + control over an authenticated device at the time of pairing? I was expecting to be asked for the password as well (password + control over a device).
Personally, I’m trying to decide where the-continued-use-of-the-‘pass phrase’-after-signing-up-with-keybase falls on a scale between the achilles heel and the thermal exhaust port.
Adding two factor authentication to protect it does not seem to solve the problem —that a pass phrase that’s encouraged for ‘regular’ keybase.io use also allows for an account to be reset— instead, adding 2FA makes the problem worse.
Please consider the case when a keybase user loses access to all keybase devices and their keys. In that case, the pass phrase is the only way to reset all keys and recover the account. Requiring a 2FA token would likely prevent a legitimate reset, since the 2FA token is likely generated using one of the lost devices. So, adding 2FA will make it impossible to use the pass phrase in the only use case for which it may still be appropriate.
Instead of ‘protecting’ the account reset option with the pass phrase and 2FA, there should be a separation between ‘regular use’ of keybase.io, and the ‘all-other-keys-are-lost-please-reset-my-account use’. The pass phrase can be used for either, but should not be used for both. Instead, when keeping the pass phrase for ‘regular use’, paper keys can help to recover an account. And when keeping the pass phrase for account resets, perhaps the ‘regular use’ of keybase.io can be authenticated by scanning a keybase.io-QR-code with an authenticated keybase device.
What makes keybase.io different from Slack, Github, or Dropbox is that it’s designed that we do not have to trust a centralized server whenever possible. Adding 2FA is a step in the wrong direction.
TL;DR: 2FA bad. Kill pass phrase once device keys exist.
Well, we need more protection but if you lose your keys, yes, you should be able to get back to them. How does this work with, say, Gmail accounts?
TL;DR: 2FA bad
I'll have to reread this to make sure I'm grokking your reasoning. for me, personally, between the passphrase, my pgp key passphrase and paper keys I keep in my KeePass database, I think I'm covered nicely with regards to fallback ways of re-entering my account. The point of a 2FA (and not just TOTP, there are other tools) is to subvert the stealing of your passphrase when you used a foreign computer with a keylogger, for instance. it can be U2F, or hitting OK on the keybase app on your phone, all of those are better than just entering username and passphrase when logging into the website. it can even be used for the CLI, of course, though hardware keys like U2F may be trickier to support.
@seefood U2F is actually pretty easy to support if you use the libraries Yubico has created.
@georghendrik If you use U2F rather than TOTP then there's no central trust required, as you hold the private key and the domain is verified, vs TOTP where the server holds the private keys.
@georghendrik - This should be handled like GitHub etc. do: You store a set of recovery keys (printing these out is suggested), and these can be used instead of the 2FA device when this is lost. Each key is for one-time use only.
@goeddea How is that different from having a paper key? In what scenario do you still have your keybase recovery keys, but not your keybase paper keys?
@seefood Thank you for taking the time to grok it. Please correct me if I’m wrong. There’s a distinction between resetting your account (destroying your data), which is what the pass phrase currently allows, and ‘re-entering’ your account using a device key or paper key (keeping your data).
There is a legitimate use case for resetting an account: it’s a last ditch way of keeping your username if all other methods of ‘re-entering’ are impossible.
In the case that a keybase user cannot ‘re-enter’ their account and legitimately wishes to reset their account, they are not likely to also still have the device that generates 2FA tokens. (For most 2FA users, the token device will not be a U2F one but rather their phone which would have the keybase app installed allowing a ‘re-enter’ instead.) The procedure of resetting the keybase account should therefore not be 2FA protected.
I'd rather see that the login to keybase.io is the same as provisioning a new device: by using a paper key or scanning a qr code — no typing of the pass phrase anywhere unless it's to reset your account.
@goeddea No worries, we're all trying to make Keybase better.
Concerning reading skills, somehow I missed these before: #347 and #1169 on keybase-issues, and about twelve other requests for 2FA. There is also this: A-Plan-for-Two-Factor-Auth, but the author does not seem to be a current Keybase team member.
Edit: the issues are on the keybase-issues repo instead of this repo...
Leaving this here: https://motherboard.vice.com/en_us/article/kz74ym/google-gmail-advanced-protection-security-keys-yubikey
@ruipacheco I'm not really sure how that's relevant in this context. We've already been talking about U2F in this thread
How about: Once you have a provisioned device, require approval from any device along with the password to log in to the Web UI.
Now all you need is to make a paper key as a backup plan, and you're set.
And for people who sign up via Web UI and never provision a device, pester them relentlessly!!! mwahahaha
U2F is becoming a pretty major hardware token standard. There is even a W3C standard forming around it with chrome support today https://w3c.github.io/webauthn/
A quick search on Amazon turns up multiple cheap -> expensive USB tokens supporting the U2F standard.
The way I protect my account from being deleted without my permission is I just try to keep my logins down to a minimum and never login to a browser window.
However:
- Since multiple accounts require logout and login on my device....... ugh... every time I login I wonder if some tricky MITM browser popup isn't just trying to intercept my password since my password is all they need to destroy my account. (Can't impersonate me, but destroying my entire sigchain is just as bad IMO)
- Implementing TOTP 2FA literally takes 5 minutes. Add new endpoint called {user}/2fa/register and when they visit, check if they have TOTP enabled, if not, send them a response with 2FA token. Store the token in the DB, but keep the TOTP flag as disabled. Then give them a box to type their 6 digit code, when they click submit, it just POSTs the 6 digit code, then you check with the secret on the DB, if it matches, set TOTP to enabled on the DB and send them a nice "enabled, good job!" message. Then ask for it every time someone tries to login via web. (imo TOTP is only needed for web, so login via device doesn't need to ask for TOTP token)
I think the biggest reasons why this isn't implemented is:
- There is an idea in keybase team that "if a user loses everything (phone with 2FA, phone with device key, PC device key / paper key etc.) they should be able to wipe everything clean and restart anew (or delete their account) with only their username and password"... which I think is an ok DEFAULT for people who don't quite understand technology, or don't quite understand Keybase and how it works...
But I understand Keybase, and I would like an option to disallow someone who was able to phish me once from irrevocably destroying my entire account on Keybase, and affecting all the teams I manage... FOREVER.
Adding a tiny 2FA TOTP check on a small set of login requests is such a simple request, and could prevent some REALLY bad things happening to users.
If you're really worried about users losing everything, plop a big red warning on the TOTP registration screen. "Having this on and losing the 2FA device along with every device key will mean there is no way to recover your account and it will be frozen in time for all eternity. So be warned."
I would code it myself (in fact I would love to if you're willing to share the source with my privately) but the source of the web backend is not available publicly.
Another solution to this problem is to just never be phished, ever.
Please start supporting USB keys (e.g., NitroKey, YubiKey, etc.) or at least traditional authenticator apps (such as Google Authenticator). I consider this basic security in 2018, especially for a service like Keybase.
If you're looking for an integration of Yubikeys as TOTP sources via the go core (not sure if that's really the case here) https://github.com/yawn/ykoath might fit the bill.
All: we have "lockdown" mode now, which gives you the benefits of 2FA without having to deal with codes: https://keybase.io/docs/lockdown/index
I love the new lockdown feature. It's so much better than classic 2FA.
In classic 2FA model, if the server is compromised, all the 2FA secrets are leaked. The hacker can then recreate any 2FA tokens on their device and if the break-in remained undetected by the server, then they would have a master key to everyone's 2FA without anyone knowing.
In the Keybase device key NIST model, the pubkeys of the devices are signed into the sigchain and committed to the blockchain... those SAME KEYS are the ones signing the request, and are ONLY accessible via an approved device.
This makes Keybase in lockdown mode much more secure than a keybase with some hypothetical 2FA (Authy/Google Auth)...
We are very happy with this feature, and I think this issue can be closed IMO.
One more thing I would add to make it even more secure is device permissions management. So I could revoke the permission of "add/revoke device" from all my devices besides my phone or paper key or something... then if my PC got hacked, they would get all my private info, BUT they wouldn't be able to revoke all my other devices, add their own device, and then revoke my PC from their newly added device, thus taking over my account without anyone getting a warning.
"Default new devices to not have device-add-revoke privileges" as a setting would also be nice.
But to be honest, that one final nit pick is not a "downside to lockdown mode" as someone who hacked your PC will see you log in to any service with 2FA and can screen-cap all your private emails, even open a hidden browser in the background and browse through your mails...
The "if your device gets hacked" attack scenario in almost every single service (gmail even) is catastrophic... but it would be nice if Keybase could help lock that down a little bit more.
@junderw These downsides don't apply to U2F/WebAuthn, which would be the preferred way to implement 2FA in 2018
These downsides don't apply to U2F/WebAuthn
@smiller171 U2F uses public key crypto within the U2F device... but in Keybase the private keys are used extensively and must reside within their respective devices themselves (Phone, PC etc.)
Adding U2F to the current model would not make anything more secure. If my account is locked down, and I add U2F to the login process, how would that help?
2FA is meant to prevent a hacker from Russia (aka not in my box via rootkit etc) to enter my account via credential stuffing etc.
Currently the only place where that was possible is the web UI. Which a credential stuffer could log in and reset all keys. Then initialize his own device. (Keybase does provide warnings to people who try to interact to someone who recently reset all keys, but this could easily be ignored)
So even without 2FA, the credential stuffer was limited in scope of attack.
But now that I can lockdown my account, my Web login (the only area a credential stuffer could access) has 0 power. Nothing can be done from the web UI.
If you want to log in you need to completely take control of a device I have previously signed into my sigchain.
While I agree it would be cool to have a device support (whether it is U2F or not is irrelevant) where we could use a specific device (like a smartcard ie. Yubikey) as our "sole device approver/revoker"...
Which is exactly how I explained my "next step" recommendation. And the ONLY way a U2F device would be useful in the current Keybase security model.
Are you well versed in the way Keybase works? If so, then explain how you would think U2F could add a layer of security to a locked down account, and what attacks it could prevent.
"Anyone who doesn't use xxxx in year yyyy is insecure." is a poor argument.
But now that I can lockdown my account, my Web login (the only area a credential stuffer could access) has 0 power. Nothing can be done from the web UI.
I want to use the web in some circumstances, I just want it protected by 2FA. I'm not asking for a U2F requirement on other devices.
I want to use the web in some circumstances
The web, even when not locked down, is severely nerfed and only kept there for old users who joined before the device based NaCl model was adopted.
Encouraging use of the web UI is probably not wise unless they add some new features to it. (ie. make the web a "device" and store the encryption keys in localStorage etc.) But this will undoubtedly lower security of any account using it (browser crypto is prone to error and localStorage is one XSS from a browser extension away from being stolen at any time... so I doubt they will do this.)
Adding 2FA to the web UI at this point would be like saying "well, we have a small set of users that refuse to add a device and only want to use the old keybase (which was web-based)... so do we appease them by adding 2FA which will still leave them open to a plethora of attacks, or do we try to encourage them to add and set up their devices in a way that is MORE secure than web+2FA."
The former is a valid decision, though it seems like backporting a bugfix to a version released 10 years ago because "some people still rely on it... sooooo"
At some point, Windows XP users need to upgrade. At some point, Keybase web-only users need to add a device.
Reminder: I am not a member of Keybase.
Might I point out the app, for MacOS/Linux/Windows is just some blob of code we downloaded off the Website?
