This Time Self-Hosted
dark mode light mode Search

Password Managers and U2F

Yet another blog post that starts with a tweet, or two. Even though I’m not by either trade or training clearly a security person, I have a vested interest in security as many of you know, and I have written (or ranted) a lot about passwords and security in the past. I have in particular argued for LastPass as a password manager, and at the same time for U2F security keys for additional security (as you can notice in this post as I added an Amazon link to one).

The other week, a side-by-side of the real PayPal login window and a phishing one that looked way too similar was posted, and I quoted the tweet asking PayPal why do they still not support U2F — technically PayPal does support 2-factors authentication, but that as far as I know that is only for US customers, and it is based on a physical OTP token.

After I tweeted that, someone who I would have expected to understand the problem better, argued that password managers and random passwords completely solve the phishing problem. I absolutely disagree and I started arguing it on Twitter, but the 140 characters limit makes it very difficult to provide good information, and particularly to refer to it later on. So here is the post.

The argument: you can’t phish a password you don’t know, and using password managers, you don’t have to (or have a way to) know that password. Works well in theory, but let’s see how that does not actually work.

Password managers allow you to generate a random, complex password (well, as long as the websites allow you to), and thanks to features such as autofill, you never actually get to see the password. This is good.

Unfortunately, there are plenty of cases in which you need to either see, read, or copy to clipboard the password. Even LastPass, which has, in my opinion, a well defined way to deal with “equivalent domains”, is not perfect: not all Amazon websites are grouped together, for instance. While they do provide an easy way to add more domains to the list of equivalency, it does mean I have about 30 of them customised for my own account right now.

What this means is that users are actually trained to the idea that sometimes the autofill won’t work because the domain is just not in the right list. And even when it is, sometimes the form has changed, and autofill just does not work. I have seen plenty of those situations myself. And so, even though you may not know the password, phishing works if it convinces you that the reason why autofill is not working is not because the site is malicious, but just because the password manager is broken/not working as intended/whatever else.

This becomes even more likely when you’re using one of the more “open” password managers. Many think LastPass is bad, not just because they store your password server-side (encrypted) but also because it interacts directly with the browser. After all, the whole point of the LostPass vulnerability was that UI is hard. So the replacements for geeks who want to be even more secure usually is a separate app that requires you to copy-paste your password from it to the browser. And in that case, you may not know the password, but you can still be phished.

If you want to make the situation even more ridiculous, go back to read my musings on bank security. My current bank (and one of my former ones) explicitly disallow you from using either autofill or copy-paste. Worse they ask you to fill in parts of your password, e.g. “the 2nd, 4th, 12th character of your password” — so you either end up having to use a mnemonic password or you have to look at your password manager and count. And that is very easily phisable. Should I point out that they insist that this is done to reduce chances of phishing?

I have proposed some time ago a more secure way to handle equivalent domains, in which websites can feed back information to the password managers on who’s what. There is some support for things like this on iOS at least, where I think the website can declare which apps are allowed to take over links to themselves. But as far as I know, even now that SmartLock is a thing, Chrome/Android do not support anything like that. Nor does LastPass. I’m sad.

Let me have even more fun about password managers, U2F, and feel okay with having a huge Amazon link at the top of this post:

Edit: full report is available for those who just don’t believe the infographic.

This is not news, I have written about this over two years ago after U2F keys were announced publicly — I have been using one before that, that is not mystery clearly. Indeed, unlike autofill and copy-paste, U2F identification does not involve interaction with the user-person, but is rather tied to the website’s own identification, which means it can’t be phished.

Phishing, as described in the NilePhish case above, applies just as equally to SMS, Authenticator apps and push-notifications, because what the user may perceive is just a little bit more delay. It’s not impossible, though a bit complicated, for a “sophisticated” (or well-motivated) attacker to just render the same exact page as the original site, defeating all those security theatre measure such as login-request IDs, custom avatars and custom phrases — or systems that ask you the 4th, 9th and 15th characters of your password.

User certificates, whether as a file enrolled in the operating system or on a smartcard, are of course an even stronger protection than U2F, but having used them, they are not really that friendly. That’s a topic for another day, though.

Comments 2
  1. I don’t know about “it’s only for US customers”, but Paypal allows the use of Verisign tokens. Verisign makes available a software token app, and the underlying implementation is TOTP. You can set up the app and then examine its files to extract the TOTP secret; after that point, you can use Google Authenticator or a Yubikey or whatever you please to do the code generation when you log in to your Paypal account.Most of the time this is the case, where the services actually use TOTP and actively conceal that fact behind their idea of ease-of-use: “install this app”, “have us mail you this hardware”, etc etc. The holdouts are actually usually the services that require SMS-delivered OTPs.I don’t share the opinion that U2F is a major step forward. TOTP is great, and I’d be fine if every site used it. Normal users are perfectly capable of setting up and using TOTP on their smartphones.

  2. Last I checked, the Verisign token was offered to me on my US account but not on my Irish or Italian accounts — and I really use the Irish one most of the time. I should check again, particularly because at the time the app was not an option, and getting it shipped required me being in the US to pick it up at the office, the app would be handier.Yes you can extract TOTP keys from a number of apps, but that also becomes a pain in the ass as I already wrote last month:… I keep adding more and more apps just to authenticate, it makes no sense. It makes even less sense for PayPal given that *they already have their own app* and I have it installed and logged in.TOTP is not great at all — while I would be happier if sites at least implemented that, it does not prevent phishing from working, it just makes the cost negligibly higher for them. What TOTP (and in general 2-factor and 2-step verification) manages to mitigate is the case in which an attacker got hold of your password, and they tried to login without your presence. But nothing prevents you to type both your password and the security code on the same phishing site.Understanding what each technology protects against is important, and I’m very sad that even within security-conscious people, the difference of mitigation between password managers, (T)OTP and U2F is. They are all complementary jigsaw pieces within a complex picture.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.